How threat modeling technology fits into modern security
Dave Sobel speaks with Nuspire about the objectives of threat modeling. Learn how threat modeling can support modern security approaches such as zero-trust security.
Dave Sobel is host of the podcast The Business of Tech and co-host of the podcast Killing IT. In addition, he wrote Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business.
In this video, Sobel discusses threat modeling with John Ayers, chief strategy product officer at cybersecurity company Nuspire. They talk about how threat modeling relates to zero trust and what the industry must do to win the cybersecurity war.
Transcript follows below.
Dave Sobel: I want to start by talking about threat modeling. You guys got my attention at Nuspire because you've made some advances in threat modeling. But let's take a moment to step back. Talk to me about threat modeling and what it is.
John Ayers: I think there's two things around threat modeling. There's a software-defined threat modeling, which Microsoft and OWASP [Open Web Application Security Project] and those guys have created, which is really around building out your software. But then there's the threat modeling around industry risk and understanding the techniques and controls you have in place to combat those techniques.
In today's world, threat modeling -- prior to our launch in January -- was professional services-driven. It was consulting-driven. It would take you four weeks to six weeks to potentially eight weeks, and anywhere between $50,000 to $75,000, for someone to come in and create that threat model for your organization, for your industries or industry. Today, [this approach] is cumbersome, and, to be honest with you, Dave, expensive for some of the small [and] medium enterprise-type clients who just can't afford to do it but need it. It's an interesting evolution that we've gone through and [has pointed to] where we need to continuously go.
Why organizations use threat modeling
Sobel: So, why do you threat model? What's the 'why' behind doing it?
Ayers: The 'why' behind it is it really helps organizations understand where they're most susceptible, meaning who's really coming at you and what type of attack is being used against you, and what controls or data sources might be most valuable to the hacker, to the bad guy. The other piece that's important to note here is [threat modeling] really helps [guide customers] to where they need to focus. Too often, what we have found, Dave, is people focus on getting compliant, and then a lot of people say, 'Hey, I'm compliant. I'm secure.' That's not really the right approach.
While [compliance] helps lay the groundwork to getting threat modeling now, if you overlay that a little bit, [compliance] also helps them build an effective security program on top of that, meaning enhancing what they may already be establishing as part of their compliance: One, by showing the clients the threats that may be facing them -- a lot of clients today don't understand what threats are facing them in their industry -- and then, ultimately, 'How do I prioritize that? How do I then log for that? How do I detect that?' And then, ultimately, 'How do I mitigate that?'
Make threat intelligence actionable to clients
Sobel: OK. I think it's implied, but I never want to assume, which is why I ask questions like this: What's the gap if somebody doesn't do the threat modeling?
Ayers: Yeah. I'll tell you what the big gap here is: It's the unknown. You just don't know how to combat that. You don't know what battleships may be forming on the horizon, attacking you in that industry.
Let's take an example: healthcare. Healthcare has various attack techniques that are being used against them all the time. However, you may be in healthcare but also in retail, because you're collecting credit cards and things. While some of the attack techniques are similar, the outcomes of how you protect yourself are obviously different. So, you can't assume, 'If I do this, I'm going to solve for that.' It's a lot like you're protecting your home. You've gone and put on deadbolts and things of that nature. You've put up motion lights. But is that enough to protect you in an area where you may not know what is being used by bad guys to break into homes? Are they able to circumvent that, things of that nature?
So, the whole idea here is really helping them, educating them, giving them the tool around that specific intelligence, tailored to that specific client, mapped to their specific controls. And you know what? The key here is [presenting the intelligence so] that it's actionable for them. The biggest problem we have today in security is there's so much. It's so complex. And, at the end of the day, people really are still grasping, 'What do I do with it? What can I leverage about it that makes it actionable for me to do something to do this?'
Cybersecurity investments: How much is enough?
Sobel: I like your analogy. When we think about security, we think about it from a physical perspective. How do you, as a security expert, measure too much [investment in security]? And, if I use your example, I have windows. I have doors. I can put a second deadbolt on, but, by the way, I could put a third [and] I could put a fourth. I could start putting cameras on. I could put on a new lock. I could double-lock. I could put in an electrified fence. There is a perception that this is a money pit. I can keep throwing things at it. How do you measure where that balance is?
Ayers: That is a great question. I'm going to have to defer back to my law enforcement experience. It goes back to assumable risk. How much are you willing to assume? Because, look, let's be honest: There's no silver bullet in cybersecurity, physical security, anything we do. There's always going to be a way for someone to circumvent the control. So, you have to assume some risk. The question that everybody has to ask themselves is, 'How much risk am I willing to assume?'
But there's also the lack of education [that causes people to say], 'I have nothing anyone wants,' and that is the problem that we all need to look ourselves in the mirror about. There's always something someone wants. 'What is enough?' is really what you're getting at. You'll never be able to get enough, because there is always someone or some group that's trying to figure out how to circumvent that.
But if you have visibility, if you have the ability to monitor, then guess what? You combat that. The biggest problem a lot of people really don't understand is the harder you make it, the less interested the bad guy is. An example: At your home, you've got ADT. You put the [ADT] sticker up there. You've got SimpliSafe. You've got a sticker up. That may be just enough to deter somebody not to break into your home. Whether you've got triple deadlocks, you've got motion lights, you've got a siren that kicks off because they hit a tripwire -- whatever the case may be -- can you give them enough information that [makes them say], 'You know what? This is too hard of a target. I'm going to go after something easy"? Because that, at the end of the day, is really what's taking place today: You're making yourself easy for someone to go after because you're not doing anything or you're doing what you think is just enough.
And this is where our threat modeling tool comes in. It gives you that actual intelligence and what things you should be doing so that you can actually do something about it. Because the problem we have today is we don't know what we don't know. And I know that sounds odd, but a lot of our customers in this space today, the small to medium enterprise space, do not know what is being used to attack them. And that's magic. Now, you know what they're using to attack you. Now, you can put some type of defense in place to prevent it. But it doesn't solve for everything.
Virtual vs. physical security
Sobel: Particularly because you've got experience in law enforcement, I want you to help me understand where the analogy breaks down a little bit when we compare the physical [security] world to the virtual one. And what I mean by this is, in a physical world, the challenges to doing that breach are significant, because there's physical [limitations]. I have a person that's a limited resource, who has to attempt to break in a door or a window or whatever it is. So, there's that. There's also the penalty. I definitely know that there's a link to jail and all of the bits where law enforcement will physically show up and haul somebody off who's caught in my house.
But now when I go to the virtual world, they can completely automate the attack. I can script all that. That's all automated. I have infinite capacity. I can knock on every single door. The likelihood of actually getting caught? Probably low. Will I actually get hauled into court? Will anybody actually find me?
What's your reaction to the disconnect, particularly from the perspective of a law enforcement officer?
Ayers: Well, I think there's one thing that's missing from your analogy there: the recon. Look, no one is going to break into any place, rob a store, or even hack into a place without doing some type of recon, and that is the piece that translates from physical to virtual. Bad guys are still using the same type of techniques of doing reconnaissance, and that reconnaissance is many things. So, what I mean by reconnaissance is they're looking at social media; they're looking at information that's out there about you and your company. What's the latest information that's been posted by news articles and things of that nature? Similar stuff that you do in the physical world is now transforming itself into the virtual world because we are a society of social [sharing]. We are a society of sharing everything we can, which provides the bad guys more information.
And now they leverage some type of tools to test you -- like phishing, like whaling. One of the big things a lot of people don't realize, and I recently did a thing about the logistics around COVID-19, is this whaling concept. This is being used as reconnaissance. They're not really trying to figure out how to get into your environment. What they're trying to figure out is who's susceptible so that [they] can now target those people or target that area to then make access. That is where we need to think about where the [physical vs. virtual] transition does happen. It's this concept of reconnaissance and gathering intel, and then figuring out what type of tool [they can use]. Hence, why we've seen phishing go up in the hundreds of percentiles over the last few months.
A great example of this: Most people are now more reluctant about clicking on a link in an email, [but] they're more susceptible to clicking on a document now, because they've been taught time and time again not to click on a link. Now, [attackers] are putting in documents. They're putting in pictures.
Recently, Russia came out with a technique where they're putting in pictures [and] they've embedded code inside the picture. You click on the picture to see the picture, and it immediately launches an executable file. I guess my point here is let's not be naive. The fact is that, no matter what type of crime it is, there is some type of reconnaissance that's going to take place in order to figure out how to get in and out without getting caught.
How threat modelling fits into zero-trust security
Sobel: That makes perfect sense to me. Now, what I want to link this then to -- this idea of threat modeling and what we're looking for -- is a bigger concept that I've been looking [at] and advocating that solution providers [who are] particularly focused on the SMB start really focusing on, which is the idea of zero-trust security. [Zero-trust security means] moving to a model where we're really concentrating on securing the crown jewels. How does this thinking on threat modeling fit in with the idea of moving towards zero trust?
Ayers: Well, let's first take a step back and understand the models. There's trust, and then there's "trust but verify," and then zero trust. Today, I think we're still in the very last two models of trusting information but no verification, then trust but verify. The zero-trust concept is still very foreign to a lot of people. But your question was, how does threat modeling get us closer to zero trust? I would say that what it does is it dynamically changes the way clients operate going forward, because now you have tailored intelligence. Now, you have tailored techniques so that you can put in tools like privileged access management, identity access management, because now you understand more about what is being used to attack your industry, which then allows you to put in the right specific controls, potentially maybe as a zero-trust model. It helps you answer those critical questions: 'Who's trying to attack me? Why are they? How will they? Am I prepared?'
So, there's where I think the linkage goes to zero trust: Is zero trust the right model for me to be prepared for, because now I know who's trying, why they are trying, and how they will try. Because that's our ultimate goal: It's to combat that. But we can't combat what we don't know.
The state of the cyber war in business
Sobel: I will totally buy that line of reasoning. I'm on board. So, I'm going to throw out a premise and I want your reaction to it: I think we're losing the cybersecurity war in business. We're just falling behind and we are, ultimately, losing right now, and there isn't a lot of evidence [I see] that we're winning.
The actors on the other side are highly sophisticated. They're running an incredibly complicated business. They've started affiliating. They've got franchises. They are doing PR and press releases. They're doing financial statements. They're just killing it over there. It's a great business, except for being illegal.
I think we're losing. What's your reaction to that?
Ayers: We've been losing for a long time. I think the one thing that you missed on that is all of it was right, except for collaboration. They collaborate better than we do, hence, why we're losing. We are still very much an industry; while it's a small industry, [it is] afraid to collaborate. We're afraid to share, because people will then take advantage of that and then raise their hand and say, 'Hey, I did this.'
What I think was a good turning point here was the Mitre ATT&CK matrix. The Mitre ATT&CK matrix was something that was shared that creates a powerful combination of not only people like ourselves who have our own threat intelligence and intellectual property, but [also partners such as] Recorded Future and things of that nature, that helps collaboration.
But, again, it's still the biggest problem we have in our industry today. I remember being at a McAfee Conference with [Former U.S. Secretary of State] Condoleezza Rice talking in 2016, and her experience in all of this was just that: We don't know how to collaborate. And until we learn how to collaborate at the highest levels to the lowest levels, we're going to consistently continue to lose.
Sobel: What needs to change then? Is it just we need to collaborate more, or is there more to what has to change for us to start winning?
Ayers: I think it's just how we change. Things like we're doing right now, like creating the threat modeling tool, things that we've got coming out in the future around helping people build out their programs -- it'll help. The biggest thing we need to do here is take the complexity out of it. And one of the goals, our mission at Nuspire, is to revolutionize that. So, you're going to start to see [Nuspire] TMT [Threat Modeling Tool], which just came out recently, and things that are coming down the pipe over the next few months. We feel we have a great grasp on CISOs, who are building products for CISOs. We know how complex it is, how hard it is, and we're trying to make it simpler for you to digest it, use it and act on it. Because, at the end of the day, Dave, when you go to somebody and ask them, 'Give me a definition of cybersecurity,' you'll get 10 different answers. And that's a problem.
Will regulation help change cybersecurity postures?
Sobel: So, that, again, makes sense to me. But is this forced change via regulation or will industry change on its own? How do you see that going?
Ayers: I think industry will change on its own. Look, industry has to continue to evolve. We have to be agile. We have to understand who our buyers are, our users. We have to stop throwing point solutions out there and saying, 'This solves it.' It's more than just point solutions. It's thought leadership. It's education. And it really is that. I mean, look, we're all trying to make money, but our goal is to dynamically change the client's threat landscape or perception of the threat landscape. If we educate them, guess what? We've won. We won a game. We've won. We're 1-0 when we educate. We're 2-0 if we provide thought leadership about what's forward thinking. We get to 3-0 if we can get them to take these specific tools and put these tools and controls in place that present some actionable format for them. Because if not, we're going to be 0-3, and then the bad guys are going to be 4-0, and they're going to continue to reap rewards from us. And, unfortunately, the old saying is, 'China looks at us for infrastructure, Russia looks at us as a piggy bank, and nation states look at us to [learn how to] better start wars.'
Sobel: John, I think you've laid out a four-point plan of action, so I think that's a great place to end this. Thanks for joining me.
Ayers: Thank you for having me. I really appreciate it, Dave. This has been great.
About the author
Dave Sobel is host of the podcast The Business of Tech, co-host of the podcast Killing IT and authored the book Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT solution provider and MSP for more than a decade, and he has worked for vendors such as Level Platforms, GFI, LogicNow and SolarWinds, leading community, event, marketing and product strategies, as well as M&A activities. Sobel has received multiple industry recognitions, including CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro's 20/20 Visionaries and MSPmentor 250.