Threat modeling is the process by which you identify threats to the technical side of your business. A good threat model highlights the vulnerabilities of your systems and outlines a plan to shore up these holes in your defenses.
Threat modeling is hugely valuable as a preventative measure. By using threat modeling (and then putting the suggested security solutions in place) you can prevent breaches from happening.
Threat modeling probably isn’t something you’ll do when you first start your business, but you should do it every time you introduce a new product or change. You should also use threat modeling if you add a new application or system to the tools you use to run your business.
But how exactly does one create a threat model? As with any good plan, there’s a lot you need to consider. We’ve provided a handy guide below, which should cover everything you need to know about threat modeling for your business.
Whose Input Do You Need?
Don’t bear all the responsibility of threat modeling on your shoulders. Aside from it being more efficient to share the workload, you should welcome input from the range of people that make up your business.
Getting input from different sources is vital because you need to consider the vulnerabilities of your system from various angles. For example, programmers might give you a very technical rundown of the impact a security breach would have on your human resources software, while a manager in a non-technical position would give you a better idea of the impact it could have on individual employees.
This example demonstrates the two main groups you should consult when forming your threat modeling team. The first group is management or non-technical employees. This includes project managers, company directors, and other internal business stakeholders.
Project managers should be consulted so you can understand the resources available for the project. Directors should be involved so you can understand what the business is hoping to achieve with the system you’re doing the threat modeling on. These are only a couple of examples. Consider input from every department – everyone from finance to legal may have useful info.
The second group is technical employees. Programmers, coders, software engineers, and the like. You’ll want to get the main architect of the system you’re modeling for involved so you have a clear understanding of its functions and features. You’ll also want a cybersecurity specialist, as they’ll be the most useful person to have on board when you begin examining potential threats and defenses.
Communication is essential when you’re trying to get input from so many different groups and individuals. It may be wise to invest in a business VoIP service to facilitate this contact.
What Is Your Focus?
As well as building a team, you need to consider the focus of your threat model. Although you’re generally going to focus on a single asset – namely, the new product you’re releasing or integrating into your business – this isn’t the only way to generate a threat model.
Another method is to focus on attackers and potential threats. This is good for building a threat model for your business as a whole, but it can sometimes be too broad to be useful. It’s a longer and more difficult project, as you need to have a basic knowledge of all the potential systems an attacker may target and then work out the most likely method they’ll use to attack.
Similarly, you can take an asset-centric approach to threat modeling. Like the attacker-centric approach, this method considers every system in your business, but the focus is more on how important that system is. Priority is given to the systems that are both highly important and highly vulnerable.
Generally, if you’re examining a single system, you’ll take an attacker-focused or software-centric approach. The software-centric approach focuses on the design of the asset and how it interacts with your business as a whole. This kind of approach can be applied to your business as a whole, but you would encounter the same problems listed above.
If the system you’re building a threat model for falls under the XaaS (anything as a service) model, you need to consider cloud security as well as the security of your application. Cloud computing can be a complicated subject, so consider hiring a specialist for this side of your software-centric approach.
The Five Steps of Threat Modeling
1. Outline the Goals of Your Threat Model
This is the first stage of creating your threat model. It should be relatively easy if you’re trying to ensure a good level of basic security. You’ll want customer and employee data to remain confidential, a high level of data integrity, and to make sure security meets the level of service expected by customers (assuming the system being modeled is a product you’re selling).
You need to outline realistic goals for your threat model. A good threat model can do wonders for your data integrity, but it’s unlikely it will do much for employee health. Don’t expect your threat model to solve every problem in your business.
2. Analyze the System You’re Protecting
After setting your goals, you need to think about the thing you’re designing. Are you creating a private branch exchange phone system for your company or a finance app that your customers will be using?
Whatever it is, the first thing you’ll need is documentation. You should source every scrap of development data you can. The more you understand about the software you’re developing the threat model for, the more likely you are to discover key vulnerabilities.
This stage is where your technical team will be most useful. The architects and developers of the system will be able to give you insights you may otherwise miss.
3. Identify Possible Threats
Automation should be a core part of your business in 2021. Any forward-thinking business leader should be utilizing everything from eCommerce to SAP robotic process automation, as automation tools are great for saving time and money. Similarly, large portions of your threat modeling can be automated, especially threat identification.
Similar to discovery tools that can map out a network you’re using for your business, there exists software that can map out a particular application then provide you with a list of its vulnerabilities.
Automation tools aren’t the only valuable resource you can use when identifying threats. Threat libraries, like CAPEC and OWASP, are also useful. They’re essentially catalogs of potential attack methods and the sorts of systems they target.
4. Identify Methods of Defense
When you’ve completed threat identification, you’ll have all the information needed to think up methods of defense. It’s difficult to give examples of these, as they’ll often be highly specific to your situation. However, coding and design fixes aren’t the only kinds of security solutions available to you.
Consider removing or turning off features that cause software vulnerabilities. It may be the risk they pose is worth the loss of functionality. Also – though this should be used sparingly – it’s sometimes better to do nothing at all. Perhaps a vulnerability you were concerned about is very low risk and it’s not worth the expense to change it.
5. Evaluate How Useful the Model Is
This final task will likely be done long after the first four, as you’ll need to put the model into practice before evaluating its usefulness. Generally, you’ll want to test to make sure every threat and vulnerability you identified have been addressed to some degree.
Evaluation is handy for future threat models too. As technology (and your business) continues to change and grow, you’ll need to model for new threats and new vulnerabilities.
When determining the success of the model, you need input from the same people we mentioned in our “Whose Input Do You Need?” section. This means some form of online communication tool will be necessary. Cloud communication platforms are particularly handy due to their accessibility.
Threat Modeling Is Essential
As we mentioned, there are all sorts of SaaS tools that can assist with threat modeling. Don’t be afraid to explore the variety of software out there, as implementing this into your modeling process can save a lot of time and money.
The foremost benefit of threat modeling is improved security, but this leads to other benefits as well, including minimizing profit loss as you won’t need to spend as much on solving security issues. Improved security will also mean customers have more confidence in your business as they’ll know their data is in safe hands.
Finally, remember a threat model is a plan and doesn’t do anything on its own. You’ll still need to install your new defensive measures once you’re done modeling. However, the better your threat model, the more effective those measures will be.
Severine Hierso is EMEA Senior Product Marketing Manager for RingCentral Office, the leader in cloud communications and online fax solutions, and is passionate about creating value, differentiation and messaging, ensuring a better experience for customers and partners.
She has gained extensive international Product Marketing, Market Research, Sales Enablement and Business development experience across SaaS, Telecommunications, Video Conferencing and Technology sectors within companies such as Sony, Cisco, Cogeco Peer 1 and Dimension Data/NTT.