You threat model to identify threats and implement mitigations before you deploy an application. In this regard, the overarching reason for your commitment to do threat modeling is to avoid incident response altogether.
Theoretically, an application with no exploitable vulnerabilities shouldn’t require an incident response. But, if Log4J and the SolarWinds cyber-attack taught us anything, when it comes to incident response, it’s not if but when.
So, does that mean threat modeling is only of limited value since it can’t eliminate the possibility of incidents completely? Actually, just the opposite is true. When the inevitable incident does occur, having done threat modeling will actually improve your incident response.
Responding to an Incident
What keeps most CISOs up at night? Incidents. And if you did a poll, the majority would probably tell you, when it comes to incidents, their goals are for the next one to cost less and deal with it faster than the previous one.
As much as CISOs would like to be strictly strategic in their operations, what happens frequently is they become reactive. Reacting to incidents. And that reaction usually happens in three phases:
- Inventory
- Triage
- Response
Phase one, inventory, attempts to answer three questions:
- What are my assets?
- Where are they vulnerable?
- Which ones do I care about?
If you study those questions closely, you’ll notice something interesting. They are the same exact questions threat modeling answers
How Threat Modeling Improves Incident Response
Immediately after an incident, especially a major one, there seems to be about 36 hours of chaos. A period of time in which there is a lot of running around, trying to figure out what to do and where to start to answer those questions above. But, if you’ve previously threat modeled the compromised system, it should short circuit a lot of the running around. It eliminates the “where do I start?” because the questions have already been answered.
Without threat modeling, you are forced into a more generalized response. But having done threat modeling, you can zero in on important things faster. Since you’ve already modeled how your applications work, you know things like attack surfaces, exploitability and impact
Consequently, after an incident, you know which applications you care about, in what ways you care about them and for what reasons. By going through the threat modeling process up front, incident response becomes faster, and thereby, less costly.
When making the case to invest time and money into threat modeling, it’s not always feasible to quantify your return on investment simply by imagining the incidents you avoided by doing threat modeling. But positive impacts on incident response make that calculation easier.
Doing a postmortem on incident response with and without threat modeling would give a much better indication of the additional ROI gained by doing threat modeling.
CISOs want to build secure applications and want to respond quickly and purposefully when the inescapable incident occurs. Threat modeling helps with both.
If you’d like to learn about a threat modeling platform that can help you with both, we suggest you check out ThreatModeler. It’s as close to one-click threat modeling as there is.
For questions or to learn more about ThreatModeler™ please contact us.