Our past blog posts have covered why organizations need to implement enterprise threat modeling and make it an ongoing process, versus treating it as a one-time exercise, and also how IT executives, along with other key stakeholders, benefit from a scalable and repeatable threat modeling practice.
Over the past few years, a handful of threat modeling methodologies and approaches to threat modeling have been adopted by a variety of large organizations, while others are now attempting to establish their own threat modeling practice. In this post, we’ll show you what is absolutely necessary for threat modeling success.
5 Characteristics of Successful Enterprise Threat Modeling Practices
1. Actionable Output
The output of most threat modeling methodology generates unwieldy paper trails. With threat data changing frequently, it is problematic to keep information current. In addition, the collaboration between key stakeholders is stifled, since manual documentation provides no mechanism to enable ongoing interaction between stakeholders.
Often, implementing an enterprise threat modeling practice means trying to induce usable output from a multitude of Data Flow Diagrams (DFDs), and following instructions that offer a “one-size-fits-all” format for various stakeholders, from executives to security team members, to developers.
An efficient enterprise threat modeling practice should provide actionable output automatically to stakeholders at all business and technical levels, tailored to their specific areas of responsibility. The outputs should be in the form of a “living document” that has the ability to easily be kept up-to-date with the continually changing threat landscape. Actionable output, along with real-time collaboration, promotes consistent enterprise-wide security at every step along the way, while meeting security policy and governance requirements.
Actionable outputs should minimally include:
- A rolling list of top 10 threats, so key stakeholders can focus on the most critical data exposure at all times, calculate costs tied to mitigation, and prioritize mitigation efforts accordingly,
- Abuse cases and security requirements for developers and security operations teams to provide a roadmap for writing secure code and guidelines to harden the infrastructure, and
- High-value targets and data exposure identifying entry and exit points that require mitigation.
Learn more: Threat Modeling Benefits for the CISO and Key Stakeholders
2. Business Focus
IT executives often get caught up in the process of “checking boxes” in order to demonstrate compliance and regulatory mandates have been met while losing sight of the actual costs and negative impact to their business should a breach occur. Aligning application security risk and risk-mitigation with business priorities and being able to communicate the basis of those decisions to not only senior executives and board members, but also to other key stakeholders in order to secure the resources needed to manage risk, potential costs, and brand damage is a fundamental characteristic of any successful enterprise threat modeling practice.
A business-centric approach to threat management requires IT executives to:
- Understand the business impact to an organization if certain threats are carried out,
- Collaborate with internal security teams to provide guidance and help prioritize threat mitigation efforts in terms of business risk, and
- Align mitigation strategy and budgets with application risk exposure to minimize risk.
Keeping business focus at the forefront not only requires ongoing input and direction from executive management, but also necessitates the need for a collaborative platform to enable all stakeholders in the SDLC to interact with one another in real-time, including software architects, developers, software testers, security analysts, project managers, security experts, etc.
3. Predictability
The optimal time to perform threat modeling is when a software program or a computer system is on the architect’s whiteboard. However, most enterprise threat modeling solutions do not provide the automation, flexibility, precision, or thoroughness required to keep pace with the rapid changes that typically occur during the design phase. Without an automated threat modeling approach in place, the design phase requires a disproportionate amount of testing, debugging, and reprogramming takes place, in an effort to eliminate vulnerabilities before a software program or system is moved into production.
A successful threat modeling practice will enable predictability and flexibility at the design stage:
- Continually identify new threats that surface and apply the appropriate mitigating controls,
- Prioritize mitigation efforts by determining which threats pose the highest risk, and
- Verify threats have been mitigated prior to moving software programs or systems to production.
While predicting where threats and security flaws exist in the early stages of the SDLC to minimize risk is an essential element of effective threat modeling, the benefit of doing so should not be limited to the quality of code that is written, but should also result in lower development costs. By integrating a predictive threat modeling practice during the design phase, it also reduces the high costs associated with fixing production vulnerabilities.
4. Integration with Real-time Threat Intelligence
Most threat modeling methodologies available today are not only manually intensive and inefficient but are also unable to integrate with other tools and technologies. Modern development environments like Agile and DevOps, where new features are constantly being added during “short sprints” and software applications are required to run on platforms that change frequently, only serve to compound the issue by continually expanding attack surfaces.
Equally important, new threats are constantly surfacing and attackers are becoming more sophisticated, so how can organizations keep pace with the ever-changing threat landscape? How can mitigation efforts be prioritized in the most effective way?
Integrating your enterprise threat modeling practice with a real-time threat intelligence framework allows you to:
- Gauge the potential impact of a breach by relying on statistical analysis of real-world attacks, where specific threats have been carried out in your industry vertical,
- More accurately assess the business and technical impact to your organization should a given threat be carried out, and
- Keep the most critical data exposure current and provide a foundation to align budgets with an overall mitigation strategy.
5. Scalability
It is widely recognized that most threat modeling processes and methodologies are time-consuming, not repeatable, generate cumbersome paper trails with built-in obsolescence, are unable to correlate threat intelligence with organization-specific attacks, and cannot keep threat models current with the continually changing threat landscape.
A scalable, automated, repeatable enterprise threat modeling process is able to:
- Track all threats across 100s or even 1000s of an organization’s applications and keep threat data current,
- Enforce consistency enterprise-wide by allowing pre-defined security requirements to be applied to all re-usable application and system components, and
- Provide real-time collaboration between all stakeholders to keep threat modeling processes in synch.
Conclusion
While various threat modeling and secure development methodologies, processes, and practices have been developed and adopted in the marketplace over the past several years, establishing clear objectives and metrics to measure their success and calculate an ROI has been challenging.
The five characteristics of a successful threat modeling practice identified here not only provide a baseline for measuring the progress of an enterprise threat modeling program but they also establish a foundation to effectively align budgets with application risk mitigation.
Schedule a demo today and see how ThreatModeler enables a successful enterprise threat modeling practice.