Fortune 1000 companies increasingly want the benefits of a collaborative, self-serve enterprise threat modeling practice. Quite frankly it is an easy sell. Whether through on-site or cloud-based deployment – or through the new Threat Modeling as a Service option – a mature enterprise process provides:
- Full bi-directional integration with existing development and operational security tools, making them more effective;
- Real-time situational visibility into the organization’s comprehensive attack surface;
- Actionable threat intelligence at the click of a button;
- Data-driven understanding of the organization’s security “big picture,” including a deep understanding of the relevant attacker population and the ability to objectively quantify defense-in-depth configurations;
- The capacity to threat model applications, on-premises and cloud-based deployment environments, mobile and stationary computing endpoints, IoT and embedded systems, industrial control and other cyber-physical systems, regulatory compliance, and more.
Understanding and desiring the benefits of a mature practice is not the challenge. Getting there is.
TMaaS Eases Threat Modeling Maturation Process
Many organizations’ current maturity-level is “tactical.” That is, they have an established, manual process for building threat models for a few mission-critical and high-risk applications. A tactical practice is a good starting place – at least the organization understands the benefits of identifying potential threats.
There is, however, a significant weakness with such processes – they cannot scale. This leaves developers relying on SAST and DAST tools within the production pipeline. Penetration testing and other manual processes are required to verify secure coding after development.
A strategic practice leverages automated threat intelligence to build threat models for every new application or DevOps project. When implemented across the production portfolio, the automated threat modeling as a service solution will identify up to 99% of SAST and DAST potential issues before an application’s coding is started. By eliminating the false-positive scanner noise and providing secure coding requirements at each stage through the production pipeline, a strategic practice is a vast improvement over a tactical one.
Transforming from a waterfall production environment to an agile or DevOps environment changes the way things are done. Old silos are dismantled. New cross-functional teams are created. Individuals can no longer concentrate on fulfilling their individual role. Everyone needs to learn how to collaboratively contribute to the business’ goals. It’s different – and it works much better with vastly improved productivity and customer satisfaction.
Maturing from tactical to strategic to an automated, collaborative enterprise practice can also be a significant digital transformation. In a tactical practice is generally considered a security team activity. In a strategic practice, automation becomes vital, and the responsibilities are shared by everyone in the production environment. An enterprise practice takes this a step further to encompass the entire IT environment with interaction from all stakeholders.
TMaaS Provides Immediate Benefits and Lower Costs
The Threat Modeling as a Service model, or TMaaS, allows organizations immediate access to the benefits of automated enterprise threat modeling without the need to drive the maturity curve. Also, TMaaS provides additional As-a-Service benefits IT departments have come to expect:[1]
- Flexibility – like other XaaS models, TMaaS delivers on-demand flexibility for companies on a pay-as-you-consume basis. Threat Modeling as a Service can be provided on a tactical, strategic, or enterprise basis depending on the needs, business climate, and strategy of the organization.
- Cost-Effectiveness – organizations receive the benefits of Threat Modeling as a Service without the need to invest in collaborative platforms. Moreover, the time and costs to get stakeholders up to speed on using the platform are significantly reduced; and there is no need to invest resources in platform maintenance or ingesting threat intelligence. A fully-managed enterprise solution can reduce costs by as much as 73% over in-house tactical or strategic practices.
- Latest and Greatest Availability – Organizations have access to the latest and greatest platform user experience whenever they reach for Threat Modeling as a Service outputs.
“We’re excited about our new Threat Modeling as a Service offering. Many Fortune 1000 companies have told us they want the benefits of enterprise threat modeling. Maturing from their current practice, however, to the end-to-end practice they want can be challenging.”
– Mark Meyer, CRO of ThreatModeler Software
“With TMaaS, ThreatModeler will do all of the heavy lifting for them. The TMaaS offering includes a wide array of services include building and treat models and deploying them into the self-serve platform, to providing on-demand consultant expertise for customers. Customers can leverage all the features of the ThreatModeler™ platform, without the challenges or costs of in-house implementation. The goal of our TMaaS offering is to help customers grow into our Enterprise Solution.”
ThreatModeler’s Threat Modeling as a Service is for Everyone
ThreatModeler Software’s TMaaS offering provides secure, collaborative customer access to completed threat models. Access may be granted through ThreatModeler’s public cloud instance or through the customer’s private cloud instance. TMaaS customers have on-demand access to advanced outputs and platform integration on a self-serve basis.
As a fully-managed service, TMaaS allows organizations to concentrate on the implementation of outputs, including driving end-to-end cyber security strategy. Enterprise Threat Modeling as a Service enables organizations to drive consistent and effective end-to-end security policy and risk management. By consuming TMaaS outputs, an organizational stakeholder can realize exceptional benefits:
- Architects – Identify security issues and the needed controls automatically during the design of every project;
- DevOps and agile development teams – Integrate with existing and trusted production tools. Built-in bi-directional communication capabilities mean production teams can consume threat model outputs directly through JIRA, Jenkins, Qualys, and other toolsets. On-demand self-serve availability means security requirements are available for each CI/CD pipeline iteration. Threat models stay current as living documents throughout the application’s SDLC;
- Operators and administrators – Experience real-time visibility into the security and threat status of their evolving IT environment. Relevant threats are identified with the click of a mouse throughout the operational and back-end ecosystems.
- QA personnel and security teams – Gain clarity of the QA and security issues while applications are in design and throughout their life cycles. Reduced network scanner false positives mean security teams can identify and concentrate on the real concerns. Proactively design QA tests before applications are coded.
- CISOs and key stakeholders – Understand the organization’s state of cybersecurity. Quantify the effectiveness of defense-in-depth configurations and other compensating controls. Understand who the attackers are and zero-in on risk issues.
Contact us to learn more about the
Threat Modeling as a Service offering by ThreatModeler.
[1] Newman, Daniel. “Why The ‘As-A-Service’ Model Works So Well For Digital Transformation.” Forbes. Forbes Media LLC: New York. June 27, 2017.
