Threat modeling must evolve to remain an effective security practice. Traditional threat modeling based on data flows is manual -- it doesn't scale well with today's business expectations and expanding threat landscape. The practice is an organizational bottleneck and a place for security efforts to run aground.
Threat modeling, however, is still critical to security. But we need to change our approach to the process by aligning security with business risk.
The need for policy-driven security
Threat modeling is the process of identifying potential attacks, describing their prospective impact, and prioritizing response and remediation measures. Traditionally, security teams would start by identifying the attacker, but expanding networks have made it difficult to detect who accesses their systems and where their data resides.
The threat landscape is constantly evolving. Networks are now so complex and intertwined that no single group truly understands its architecture. To add to the complexity, data is housed in many clouds and microservices -- each possessing valuable information hackers can steal or exploit.
On top of all those problems, we're experiencing a cybersecurity skills shortage. Most security teams are underresourced and lack the personnel to handle a challenge of this size and complexity.
Security teams need to replace manual threat modeling practices with a policy-driven model that contextualizes recommended remediations for common events. A knowledge base can help address common attacks by managing remediations in the form of security policies.
A policy-driven security model provides a baseline context for every software build, which can be measured against policies to determine if developers are compliant. Tying policies to business risks offers several advantages, such as integrating security risk assessments into product delivery pipelines. This ensures high levels of security and reduces costly rework activities later in the cycle -- a consequence of viewing security as an afterthought.
A policy-driven security model also reflects the realities of business, where strategies might change frequently. In certain scenarios, for instance, a business can decide it's best to cooperate with a competitor before eventually going back to head-to-head competition. A policy-driven model can adapt to these changes more easily.
The time has come for a new model
Threat modeling is extremely valuable, but manual operational procedures must change. As a starting point, several organizations are challenging historic assumptions surrounding security modeling.
The Cloud Security Alliance, for example, recognizes the changing asset landscape and offers guidance on cloud threat modeling. The Open Web Application Security Project promotes modeling throughout the software development lifecycle, not just in the design phase. SAFECode also addresses the shortcomings of traditional approaches to modeling. It recommends, among other things, an auditable output. The Open Group recommends a zero-trust approach that moves away from network-centric security into asset- and policy-driven security.
Developing a policy-driven model and tying it to business needs are evolving processes. Experts advocate using manual threat modeling in the software delivery pipeline, but most developers don't have the bandwidth to sustain this work. Developers I've spoken with say threat modeling would be a good skill to know, but they would rather have full-time experts handle these activities.
To be clear, traditional threat modeling shouldn't be abandoned entirely. It still has value, but it's often not the best option. An entirely manual threat modeling approach won't scale effectively in the long run. A policy-driven approach to threat modeling is the best option moving forward.
About the author
Altaz Valani is director of insights research at Security Compass. Before his current position, Valani was senior research director and executive advisor at Info-Tech Research Group, providing advice on application development, application rationalization, Agile, cloud, mobile and the software development lifecycle. Valani is vice chair of The Open Group Security Forum, is a member of the SAFECode Technical Leadership Council and sits in industry working groups at IEEE, Cloud Security Alliance, OASIS and Object Management Group.