Understanding that enterprise threat modeling is the gold standard of threat modeling, enabling CISOs can drive consistent security policy organization-wide is one thing. Implementing it across the IT ecosystem is quite another. Securing legacy systems, for example, is entirely different from left-shifting security in the DevOps process.
It is different again to drive consistent security policy and have real-time situational awareness across the organization’s mobile, IoT, and other computing endpoint footprints. CISOs looking for sustainable ROI and measurable competitive advantage for their organization will want to successfully implement enterprise threat modeling.
Getting Started Implementing Enterprise Threat Modeling
For successful implementation, CISOs should start by understanding which threat modeling maturity level their organization falls under:
- Tactical Threat Modeling – In this stage organizations primarily threat model critical and high-risk applications. Often the threat model is built by security subject matter experts utilizing highly manual processes. Because of the manual process, obtaining outputs is slow, often lagging far behind the production. Penetration testing may be employed as a backup or additional step after application development as the threat models generated tend to be static documents yielding only secure coding guidelines against classes of potential threats.
- Strategic Threat Modeling – At this point of maturity, the organization has realized some benefits of automation in their threat modeling process. However, based on the process and/or tool used, they must limit the scope of threat modeling to considering individual applications in isolation. Furthermore, threat modeling at this stage is still a security-team-only activity. However, the outputs have evolved to identify specific threats and mitigate security requirements.
- Enterprise Threat Modeling – Finally, at the enterprise threat modeling stage, the organization can finally realize real-time situational awareness across their entire attack surface. No longer just a security expert activity, threat modeling becomes accessible to all stakeholders through a self-serve model. The threat model portfolio expands to include all DevOps projects, deployed applications, on-premises, and cloud-based environments, mobile, IoT systems, computing endpoints, and other cyber-physical systems. It is at this stage that CISOs have the high-level, data-based perspective to quantify security initiatives, anticipate and realize sustainable ROI on resource investments, and drive consistent security policy across the enterprise.
Learn more: Why CISOs Implement Enterprise Threat Modeling
1. Implementing Enterprise Automated Threat Modeling
The practical side of implementing enterprise threat modeling also includes defining as precisely as possible the goals and objective to be obtained from a mature threat modeling process.
Consider an organization at the tactical level of maturity. It may be difficult to fathom what automation looks like at this stage when stakeholders are accustomed to highly manual processes with static results. When different stakeholders are asked about automation and implementing automated threat modeling, answers will vary based on their existing experience.
Others may envision getting a few non-specific classes of potential threats “automatically” from a freely downloadable tool. Yes, these threat mapping tools that can automatically identify “obvious” threats, but more challenging issues are left for security subject matter experts to identify manually. When discussing the process of implementing enterprise threat modeling for your organization, stakeholders need to clearly define the role, scope, and purpose of automation.
Organizations doing strategic threat modeling, on the other hand, will have a better understanding of what automation is and the potential offered by a fully automated process. The discussion of implementing enterprise threat modeling at this stage will also necessarily consider integrating with the organization’s existing toolsets and workflow.
If efficiencies and effectiveness can be increased by moving from a manual to an automated threat modeling process, how much more will be gained through bi-directional communication between the threat modeling platform where potential threats and security requirements are identified and the bug tracking and other tools developers commonly used in the CI/CD production environment?
Through integration, the threat model becomes a living document with useful, actionable outputs during each CI/CD iteration. For leaders thinking about implementing enterprise threat modeling, carefully define the integration with existing toolsets and workflows needed to enable the entire DevOps team to bake-in and left-shift security into each project without a significant learning curve or increase in workload.
2. Map out the Threat Modeling Implementation Journey
No organization would seriously attempt to implement DevOps without a detailed roadmap. Moreover, just as with DevOps, implementing enterprise threat modeling is not just about acquiring and incorporating new technology. The “transformation” part of a digital transformation has just as much to do with the organization’s culture.
The challenge with DevOps is to replace the functional silos traditionally separating developers and operators with a new collaborative environment that aligns previously disparate purviews with the organization’s overall strategic goals. When done well, the result is a considerable increase in productivity, an improved bottom line, and newfound competitive advantages. Few today will disagree that the DevOps digital transformation is well worth the effort.
Implementing enterprise threat modeling is also a digital transformation. When leadership carefully maps out how to implement enterprise threat modeling in their organization, the realized benefits can go well past establishing a smooth DevSecOps production environment. When implemented well, enterprise threat modeling will break down the functional and purview silos between “in-the-weeds” practitioners – including developers, operators, administrators, and QA engineers – and “big-picture-focused” executives establishing overall long-term strategic plans.
The final component in implementing enterprise threat modeling, then, lies is internally-evangelizing and gaining individual stakeholder support for the transformation. Individuals – not just stakeholder groups – need to both understand how enterprise threat modeling benefits the organization AND how it will benefit them. Furthermore, individuals need to be shown how their contribution to the transformation will bring about the desired personal benefits. Taken collectively, each of the individual contributions creates the map of how to implement enterprise threat modeling for that organization.
No executive likes investments for which a reasonable ROI is not realized. Through enterprise threat modeling, though, CISO’s have the real-time situational awareness across the full attack surface and the ability to conduct dynamic “what-if” scenarios on planned to implemented security initiatives to accurately and effectively predict the ROI of each of their resource investments.
Develop the Three Pillars of Enterprise Threat Modeling
Any successful plan for implementing enterprise threat modeling must account for the practical realities: Threat modeling is all about creating useful, actionable outputs for each stakeholder group. Useful outputs, of course, require more than good ideas or interesting theories. Actionable outputs at the scale and scope needed by today’s enterprises can only be developed from a practical practice supported by a mature technology through an accessible platform, such as ThreatModeler™.
Full automation considerations are quickly realized by ThreatModeler users who need only create a Visio-like diagram with drag-and-drop ease – ThreatModeler’s Intelligent Threat Engine and automated Threat Intelligence Framework do the rest. In as little as 15 minutes, users have actionable outputs for applications, on-prem or cloud-based deployment environments, mobile or other IT system endpoints, IoT and embedded systems, industrial controls system, and other cyber-physical systems. Moreover, the automatically generated threat models identify 99% of DAST and SAST vulnerabilities – even if the project still only exists on the architect’s whiteboard.
DevOps team member will especially appreciate how ThreatModeler integrates with the organization’s planned or existing toolsets including SAST and DAST tools, security controls, network scanners, and issue trackers through bi-directional communication. Changes to the status or notation of a bug in JIRA, for example, will immediately be reflected in the threat model. By integrating ThreatModeler™ with previously purchased production and security technologies, organizations realize increased effectiveness and efficiencies throughout their full workflow – without a significant learning curve or additional workload.
Learn more about the Three Pillars of a Scalable Threat Modeling Practice
Finally, organizations will realize enterprise-wide, cross-functional collaboration through ThreatModeler’s system architecture. With role-based access, users have access to the outputs and projects of interest to them. CISO can quickly assess the organization’s level of information security and drive consistent policy throughout the IT system.
Security architects can determine more effective security-in-depth utilizing existing controls. Infrastructure engineers can analyze potential attack paths and abuse cases. Developers can implement security requirements during the initial coding. Regardless of the role, function, or purview, stakeholders effectively collaborate on end-to-end cybersecurity.
To be clear, however, enterprise threat modeling is much more than just “revving-up” a traditional threat modeling practice. When considering implementing enterprise threat modeling, organizations must realize that such a practice is intended to scale across the full cyber ecosystem; it will keep pace with the CI/CD pipeline, and real-time threat intelligence will become actionable at multiple levels. Enterprise threat modeling is a digital transformation.
To learn more about how to implement enterprise threat modeling with ThreatModeler™,