Enterprise Risk Assessments, analyses of the impact and likelihood of potential threats to organizations, have only gotten worse. The pace of business has left these time and resource intensive assessments in the dust. Additionally, they at best qualified risk without any form of quantification.
At VerSprite, we long recognized it and worked on evolving the assessment into a methodology that would provide not only quantified and qualified risk assessment, but an actionable threat model.
Of true risk related frameworks, FAIR has always been one near and dear to VerSprite’s GRC program as FAIR embellishes detailed aspects of loss frequency, loss magnitude, and threat frequency. These aspects within FAIR also have associated threat, impact, and cadence factors that are well aligned to VerSprite’s Organization Threat Model (OTM).
The OTM is a 7-stage process, inspired by the application threat modeling methodology, PASTA, that is applied at an organizational level. Much like application threat models, the intent is to have risks proven by various important contexts – business impact, likelihood, and the effectiveness of native countermeasures (or controls) that help reduce inherent risk levels.
The Organizational Threat Model is intended to evolve beyond the speculative nature of ERAs and more concretely into evidence-based assessments.
As such, OTM unifies 3 distinct security assessment types:
The OTM is meant to be threat inspired evidence stemming from both threat data (internal to security operations) and threat intel (external intelligence and advisories), as well as a proof of threat viability through targeted red team exercises that test attack patterns and support threat assertions in the threat model.
Everything culminates into a residual risk analysis that looks at how the organization performed after the smoke has cleared from the adversarial patterns launched tactically against the organization and its defenses. Exposures at all layers of the proverbial security onion can reflect shortcomings in endpoint protection, network security, application security, organizational security awareness, cloud security, incident response (IR) processes, and much more.
OTMs aim to not only qualify better on the elements of risk for an organization, but also aim to quantify how residual risks translate to impact levels against the organization. Residual risk should always be the focus of any type of risk analysis. ERAs have long been performed by large and mid-size consulting firms as an elaborate control gap analysis and those days are over. It is simply a “check the box” approach that offers no real implementable results.
It is critical to understand the impact to which security gaps translate to business cost for the organization’s products or services. Quantification paths to understanding the impacts of CIA (confidentiality, integrity, and availability) risk implications are much easier through an offensive minded OTM that ties back to what is mission critical for the company receiving an OTM.
Let’s take a closer look at Organizational Threat Model methodology. It follows PASTA methodology stages on an organizational level and incorporates BIA, Red Team exercises, and ERA.
Determining business objectives and ensuring an appropriate level of security requirements to support the business goals for the organization, while meeting security standards compliance.
Defining the technical scope and boundaries of threat modeling. Key factors – various workflows, technologies, software and hardware, and services used by the organization.
Categorizing any workflow, architectural and technology components, which function is to provide security controls (e.g., authentication, encryption) and security features (such as protection of CIA) which could potentially have business and security impact.
Decomposing the organization’s network into essential elements (such as users, servers, data assets, IoTs, endpoints, cloud, etc.) which can be further analyzed for attack simulation and threat analysis from both the attacker and the defender perspective.
Enumerating the possible threats targeting the organization’s various assets.
Identifying the most probable attack scenarios based upon threat agent models, security event monitoring, fraud mapping, and threat intelligence reports.
The final goal of the stage is to analyze the threat and attack scenarios and prioritizing them for the attack simulation.
The main goal of this stage of the methodology is to map vulnerabilities identified for different assets to the threats and the attack scenarios, which were identified in the previous stage.
Formal methods for mapping threats and vulnerabilities, such as threat trees, are employed for determining the ones to be used for attacking the assets.
This stage analyzes how the organization and its context (endpoints, employees, end-users, environment, network, etc.) can be attacked by exploiting vulnerabilities and using various attack libraries and attack vectors. The goal of this stage is to provide mapped attacks and document how the vulnerabilities can be exploited by different attack methods.
The final stage of OTM analyzes residual risks and business impact.
The goal of this stage is to quantify and qualify business impact, identify gaps in security controls, calculate residual risk, and provide risk mitigation strategies.
As we can see from the methodology breakdown, ERA is only a small part of a comprehensive effective organizational threat model. At VerSprite, we believe that in the modern evolving cyber landscape, the way we assess threats and risks to enterprises must evolve, too. ERA does not quantify risks or yield an actionable assessment that offers cost-effective security solutions, which organization can implement and base their threat models on.