Why Treating Threat Modeling as a Net-New Security Activity Will Strain your Enterprise.

Security champions are now being joined by a chorus of regulators and government officials who praise embellishing threat modeling activities for improved software/product security. Threat modeling is increasing in both use and reference.

However, implementing threat modeling simply as another security initiative to layer on an already burdened enterprise may be a better approach when implementing a process that could pay long-term dividends to product owners, development managers, and other key internal stakeholders. Treating threat modeling as a net-new security activity will strain your enterprise. As with anything else, it’ll come down to execution.

Embellishing Threat Modeling: Easy for Me, Hard for You

aligned to an elaborate process can surely bring some easy wins for saying, “Look CISO, we got threat models!” however, these efforts and results will appear to the internal customer as simply another security effort piled onto a dozen or so other security efforts that they don’t understand, or, even worse, value.

These well-intended security leaders who introduce threat modeling as a new initiative will quickly witness a fatigued, internal customer base trying to make sense of the outcomes among threat modeling activities and the other 20 security activities that are calling their product “insecure,” “high risk,” “non-compliant,” etc.

As security process owners for DAST, SAST, pen testing, compliance audits, etc., get in line to speak to product owners on some aspect of risk, impact, or threat. Adding a threat modeling SME to the end of the line will fatigue product owners who are overwhelmed with the litany of security efforts that claim to have unique findings.

When these security efforts have “critical” or “high” risk issues, those terms lose meaning amidst a dizzying seesaw ride of security activities. The litany of security activities can contradict remediation priorities and even undermine remediation queues and timelines.

Why Embellishing Threat Modeling is a Smart Business Move

When the above security straws illustrate a montage of high, medium, and low-risk issues, how is the product owner expected to discern which high is the first to address without the proper context? So, this begs the following questions:

• Where is the context to all of these security issues?”
• “Why can’t a model of threats for an application contextualize software weaknesses, design flaws, insecure libraries, and vulnerable infrastructure as part of its process?

It can, but not with quick and dirty approaches that may check the box. A risk-centric approach that bundles all of the security straws together and processes them within the threat model for greater context and residual risk identification. Embellishing threat modeling is a promising strategy.

Integrated, Contextualized Threat Modeling Yields More

Risk-centric threat models can contextualize many of the “security straws” from the diagram above and reduce the security load for the enterprise. In 2015, the Process for Attack Simulation & Threat Analysis was born as PASTA – a risk-centric approach to threat modeling, a step-by-step methodology. As a process consisting of seven stages, it has inputs and outputs across each stage. Many security activities in enterprise security today actually “feed” a risk-centric PASTA threat model and contextualize security information into a model of threats for the application.

Common questions by application/ product owners:

1. “What are the things that I need to worry about?”
2. “Can you show me how this is a {critical | high | medium} risk?”

As many of the security activities depicted in the drawing overwhelm product owners, risk-centric threat models provide a framework to which vuln data, exploit testing, threat sources, control scan results, and more can help solve for a residual risk level that looks at more than just any isolated security deliverable. Models of threats are just that – models. Models need information and credible sources at that.

Security programs can introduce risk-based threat modeling as a process that embellishes much of the information produced by DAST, SAST, SCA, Pen Testing, and much more. Embellishing risk-based threat models provide an opportunity for the output of various security activities to substantiate a threat assertion, which indeed pertains to question #2 above. A threat assertion may be “Data Theft” or “Persistence”. As these unique and tailored assertions are created through the use of threat intel research (already conducted by CTI groups, then a more tailored, credible threat library can be constructed and maintained with SecOps information that stems from assessments, scans, pen tests, threat intel feeds, etc.

Tailored Threat Models

Recently, CISA and various other global security agencies published a joint initiative on secure design. The document references a growing need for “tailored” threat models. Below is an excerpt from that document with the key call to have tailored models highlighted (see below).

FACT—threats are unique to the industry, and their impacts are also unique. Threats to system availability may be harmful for a banking institution but may be catastrophic for an energy player. Companies will and should have unique threat models even within a given sector.

Building tailored threat models with tailored threat libraries will leverage some of these other security activities within an enterprise and provide an opportunity to operationalize information from several sources, thereby elevating the model’s credibility.

In the risk-centric PASTA methodology, for example, internal security controls and governance requirements for crypto use, logging, etc., can be factored into Stage 1 of the methodology. CASM and SSCM tools can enumerate components within an application attack surface, which ties into Stage 2 of the approach.

Threat intel feeds and correlated SIEM events can substantiate threat claims or assertions built in Stage 4 of the risk-centric methodology. Vuln scans from SSCM, SCA, vulnerability scanners, and DAST/ SAST tools can denote vulnerabilities that support the possibility that the threat could occur.

Stage 6 provides pen testers with a blueprint of a threat objective > targeted component > associated vuln/ weakness to be presented to an adversarial engineer to test the viability of an abuse case or attack pattern. As such, the risk-centric threat model with PASTA doesn’t introduce threat modeling as simply a net-new initiative but an actual “wrapper” to contextualize all of this security information for the product/ application owner.

Embellish Your Risk-Centric Threat Models

“Risk-Centric Threat Modeling” (Risk-Centric Threat Modeling: Process for Attack Simulation and Threat Analysis | Wiley), the book that introduced PASTA as a risk-centric threat modeling approach, was supported by the now late top aide to President Obama, Howard Schmidt. Mr. Schmidt wrote the preface to the first edition of this book. A few years later, several universities and global corporations have since adopted the process as their de-facto threat modeling methodology. They have even made their own “PASTA” by leveraging the modularity of the methodology’s stages. GitLab wrote about their adoption and use journey, which can be found here: read about how we’re creating a threat model framework that works for GitLab.

Most data models must be fed, and threat models are no different. For tailored, contextualized models of threats substantiated by various security results, PASTA provides an accurate risk-centric approach that alleviates those security straws from piling and instead focuses on contextualization and integration. Product owners appreciate that a model of threats now contextualizes all of the other security inputs and helps streamline what needs to be worked on first regarding remediation. For more information on the steps, stages, and other artifacts around risk-centric threat modeling with PASTA, look at the eBook on Process for Attack Simulation and Threat Analysis – VerSprite.

Contact VerSprite now to get started on risk-based threat models.