There’s a belief in the security community that if you’re doing threat mapping, you don’t need to do threat modeling. The idea is that threat mapping is just as good as, or at least takes the place of, threat modeling.
It’s true they are both a formalized way to visually depict threats to an application or system. But that’s about where the similarity ends. The process for creating the two, and the outputs they produce, are very different. Perhaps most important, is that while threat mapping hasn’t changed much since its inception, threat modeling as a discipline continues to evolve.
Formally, threat mapping is the process of identifying threats and looking for feasible solutions to mitigate those threats. It involves visualizing the source and destination locations around the world, as well as providing learners with a baseline understanding of common cyber security threats, vulnerabilities, and risks.
Even today, threat mapping is mostly a manual process used to draw attack trees and attack patterns. These attack trees and patterns are based on data flow diagrams. A data flow diagram (DFD) is a way of representing a flow of data through a process or a system (usually an information system).
The key to these data flow diagrams is that the data are uncategorized. Data are data are data. It treats all data classifications the same. It makes no distinction between top secret data and unclassified data. And in a world where security budgets are fixed and assets to protect must be prioritized, that’s not good.
Formally, threat modeling is a family of activities for improving security by identifying threats and defining countermeasures to prevent or mitigate their effects. It is a structured process with objectives such as identifying security requirements, pinpoint security threats and potential vulnerabilities, quantifying criticality, and prioritizing remediation methods.
You can already see some major differences between threat mapping and threat modeling. Notice the mention of “quantifying criticality” and “prioritizing remediation”. One of the great benefits of threat modeling is that it tells you where to begin mitigating threats.
The other advantage of threat modeling is the different outputs it produces. Those outputs include security requirements, threat actors, abuse cases and design flaws.
Unlike threat mapping, threat modeling depends on process flow diagrams. A process flow diagram (PFD) is a type of flowchart that illustrates the relationships between major components. It’s most often used in chemical engineering and process engineering, though its concepts are sometimes applied to other processes as well (like those in information systems).
The key advantage of a PFD, compared to the DFD used in threat mapping, is that a PFD illuminates how the major components of the system interact with the major business assets. And that’s perhaps the most important difference between the two. Threat mapping maps threats. Threat modeling models the overlap of threats and assets. Threat mapping is looking at threats in a vacuum. Threat modeling takes a holistic view of the enterprise.
Threat modeling as a discipline and a collection of tools continues to evolve and produce ever more useful outputs. More and more it leverages automation and collaboration in a dynamic, structured approach to mitigating threats.
If you’d like to get a glimpse of a threat modeling platform with all the latest capabilities, checkout ThreatModeler. ThreatModeler is as close to one-click threat modeling as there is today.