The Shift to Continuous Threat Monitoring
In today’s rapidly evolving digital landscape, diverse cybersecurity threats are increasing. Organizations face a spectrum of attackers, ranging from opportunistic criminals who exploit vulnerabilities, to targeted attacks by competitors or state actors with specific agendas.
Each organization has a unique threat landscape that includes random and carefully targeted attacks. Therefore, it is crucial to develop an individualized threat model for each organization and its systems. This tailored approach helps address specific threat scenarios and attack vectors relevant to the organization.
Threat modeling is a proactive approach to identifying potential security threats, assessing the associated risks, and developing mitigations to protect against those threats. Continuous threat monitoring ensures that these efforts are maintained and updated in response to new and emerging threats.
Using the fictional ACME Engineering Company, we’ll explore these concepts. ACME manages valuable assets like CAD models and customer data using Microsoft 365, Entra ID, and OneDrive. They also operate a custom build shop with a Java backend and React frontend.
To show how our open source tool ThreatShield faciliates ongoing security efforts, we will break down key terms, the threat modeling process and why continuous monitoring is important.
Key Terms and Concepts
Systems
Definition: Systems refer to the software, IT infrastructure, and technological environments used by an organization. These include applications, databases, servers, network devices, and other IT components.
Purpose: Systems are the operational components that enable an organization’s functions and processes.
Examples: For ACME Engineering Company, systems include Microsoft 365, Entra ID for access management, OneDrive for storage, and their custom-built shop with a Java backend and React frontend.
Assets
Definition: Assets are the valuable resources and data that an organization aims to protect. These can be tangible or intangible and are often the target of threats.
Purpose: Assets represent the critical information or items that, if compromised, could impact the organization significantly.
Examples: For ACME, assets include CAD models, specifications, prepared patents, customer and sales data.
Note: In many threat modeling guides and books, both systems and assets are often collectively referred to as “assets.” This broader categorization simplifies discussions but can sometimes blur the distinctions between what is being protected (assets) and the operational components involved (systems).
Threats
Definition: Potential events or actions that can cause harm to an organization’s assets or systems.
Types: Internal, external, cyber, and physical threats.
Example: ACME faces threats like unauthorized access to CAD models, phishing attacks on employees, and cyber-attacks on their custom build shop.
Risks
Definition: The potential impact and likelihood of a threat exploiting a vulnerability.
Difference: A threat is a potential danger; a risk is the potential loss or damage from that threat.
Example: The risk from unauthorized access to ACME’s CAD models is the potential loss of intellectual property and competitive advantage.
Mitigations
Definition: Measures taken to reduce the impact or likelihood of a threat.
Importance: Mitigations protect assets and reduce risks.
Example: ACME could implement multi-factor authentication for accessing Microsoft 365 and OneDrive, and conduct regular security audits of their custom build shop
By understanding these key terms and concepts, organizations like ACME Engineering Company can effectively identify, assess, and mitigate potential threats, ensuring the security and integrity of their valuable assets and systems.
Threat Modeling Process
Introduction to Threat Modeling
Threat modeling is a proactive process designed to identify, assess, and address potential security threats to an organization’s assets and systems. The primary goal is to understand the various ways an adversary could attack and to develop strategies to mitigate these threats.
For instance, ACME Engineering Company uses threat modeling to protect their valuable CAD models and customer data stored in Microsoft 365 and OneDrive, as well as to secure their custom build shop with a Java backend and React frontend.
Steps in Threat Modeling
Identifying Assets and Systems
The first step involves cataloging all systems and assets. For ACME, this includes their CAD models, specifications, patents, customer data, and the custom build shop application. Understanding what needs protection is crucial for effective threat modeling.Identifying Threats
Once assets and systems are identified, the next step is to pinpoint potential threats. This involves brainstorming and researching possible adversaries and their tactics. For example, ACME identifies threats such as unauthorized access to CAD models, phishing attacks on employees, and SQL injection attacks on their Java backend.Assessing Risks
After identifying threats, the next step is to assess the risks associated with each threat. This involves evaluating the likelihood of the threat occurring and the potential impact on the organization. For ACME, assessing the risk of unauthorized access to CAD models includes considering the probability of such an attack and the potential loss of intellectual property and competitive advantage.Developing Mitigations
The final step is to develop strategies to mitigate the identified risks. Mitigations can include technical controls, policies, and procedures to reduce the likelihood or impact of a threat. For ACME, this might involve implementing multi-factor authentication for accessing Microsoft 365 and OneDrive, regular security audits, and using input validation and parameterized queries in their Java backend to prevent SQL injection attacks.
Different Approaches to Threat Modeling
Threat modeling can be conducted using various approaches to suit different organizational needs and contexts. Here are three common methods:
Whiteboard Sessions
Whiteboard sessions are a collaborative approach where team members gather to map out potential threats and vulnerabilities on a whiteboard. This method is beneficial for visualizing complex systems and engaging in real-time discussion and problem-solving. For example, ACME’s IT team might hold a whiteboard session to map out and discuss threats to their OneDrive storage.Using Tools like Microsoft Threat Modeller
Microsoft Threat Modeller is a tool that helps automate and streamline the threat modeling process. It allows users to create and visualize threat models, identify potential threats, and generate reports on security risks. For ACME, using such a tool could enhance their threat modeling efforts by providing a structured approach to identifying and mitigating threats, ensuring no potential risks are overlooked.Card Games
Card games like OWASP Cornucopia or Elevation of Privilege offer an interactive and engaging way to perform threat modeling. These games encourage team members to think like attackers and identify possible threats. At ACME, employees might use a card game to identify threats to their sales data, fostering a fun yet productive environment for threat modeling.
By following these steps and using different approaches, organizations like ACME Engineering Company can effectively identify, assess, and mitigate potential security threats, ensuring the ongoing protection of their valuable assets and systems.
Continuous Threat Modeling
What to Do After the First Threat Modeling Session?
After completing your initial threat modeling session, it’s essential to continue building on the insights gained. The first step is to record all identified threats, assessed risks, and proposed mitigations in a structured and accessible format.
Where to Record the Results?
Using a dedicated tool like ThreatShield can significantly streamline this process. ThreatShield allows you to systematically record and organize threats, risks, and mitigations, ensuring that all relevant information is easily accessible and updatable as your security landscape evolves.
How to Share Results with the Team, Management, and the CISO?
Effective communication is key to ensuring everyone is on the same page. ThreatShield supports collaborative features, enabling you to share detailed reports with your team, management, and the Chief Information Security Officer (CISO). Regular updates and meetings can help keep everyone informed about the current threat landscape and the status of ongoing mitigations.
How to Record Further Developments?
Continuous threat monitoring involves regularly updating your threat models as new information becomes available. This includes recording any new threats that emerge, as well as documenting the progress of mitigation efforts. ThreatShield can be used to log these updates systematically, providing a clear history of actions taken and their outcomes.
How to Assess and Track Risks?
Assessing and tracking risks is an ongoing process. Use ThreatShield to periodically reassess risks associated with identified threats. This involves evaluating the effectiveness of implemented mitigations and identifying any residual risks. ThreatShield’s analytics and reporting features can help visualize risk levels over time, making it easier to prioritize future security efforts.
In ThreatShield, users can define a risk’s severity, the frequency of incidents per year, and the cost per incident. Additionally, users can specify whether the risk is accepted or mitigated. For mitigations, users can track whether they are planned or already implemented.
By integrating continuous threat modeling into your security practices, you ensure that your organization remains vigilant and prepared to address evolving threats. Using tools like ThreatShield not only facilitates this process but also enhances collaboration and communication across all levels of your organization.
Reference to Continuous Threat Exposure Management (CTEM)
Gartner introduced the concept of Continuous Threat Exposure Management (CTEM) to address the limitations of traditional vulnerability management methods¹. CTEM is a proactive approach that continuously monitors, assesses, prioritizes, and resolves security issues. It focuses on improving an organization’s security posture by actively identifying and mitigating threats before they can be exploited.
CTEM consists of five stages: Scoping, Discovery, Prioritization, Validation, and Mobilization. This cyclical process ensures that organizations maintain a comprehensive and up-to-date understanding of their security landscape, allowing for prompt and effective responses to potential threats.
Reports and Analysis from Risk & Mitigation Data
With the detailed risk and mitigation data collected, ThreatShield can generate various insightful reports and analyses:
Risk Severity and Frequency Reports
Understand the impact and likelihood of risks to prioritize mitigation efforts.
Cost Analysis Reports
Estimate the financial impact of risks by calculating potential costs per incident and incident frequency.
Mitigation Status Reports
Track the status of mitigations, showing which measures are planned, in progress, or implemented.
Accepted vs. Mitigated Risks
Differentiate between accepted risks and mitigated risks to assess overall risk tolerance and identify gaps.
Trend Analysis
Monitor changes in the risk profile over time to identify emerging threats and adjust strategies accordingly.
Executive Summary Reports
Provide a high-level overview of the security posture, key risks, and mitigation efforts for senior management and the CISO.
These reports help organizations make data-driven decisions, ensuring a comprehensive understanding of their risk landscape and continuous improvement in their security posture.
Conclusion
In the ever-evolving cybersecurity realm, the practices of threat modeling and ongoing threat monitoring play a pivotal role in protecting an organization’s assets and systems. By delving into the case of ACME Engineering Company, we have illustrated how the identification & resolution of threats, risk evaluation and mitigation implementation can effectively safeguard valuable data and operations.
Threat modeling plays a crucial role in enabling organizations to anticipate security risks and devise effective strategies to address them. Various methods, including whiteboard sessions, card games, and tools like Microsoft Threat Modeller, offer diverse avenues for involving teams in the identification and mitigation of threats.
However, it is important to note that threat modeling should not be considered a one-time occurrence. Continuous threat monitoring is essential to guarantee that your security protocols remain efficient in the face of ever-changing threats. Solutions such as ThreatShield play a crucial role in this process by enabling constant monitoring and reevaluation of threats, risks, and countermeasures. This ongoing monitoring enables frequent updates and information sharing with all involved parties, thereby establishing a strong and current security framework.
Gartner’s concept of Continuous Threat Exposure Management (CTEM) emphasizes a proactive and ongoing approach to security. By continuously monitoring, assessing, and mitigating threats, organizations can significantly reduce their risk of breaches and enhance their overall security posture.
Incorporating these practices into your organization’s security strategy ensures that you remain vigilant and prepared against the ever-changing threat landscape. Embrace continuous threat modeling and monitoring to safeguard your organization’s assets and uphold a resilient security posture.
Ready to face your threats?
Links & further reading:
Oliver Tigges
Oliver is one of the founders and CEOs of Inspired. In client projects, he is always particularly interested in mediating between the engine room and the boardroom. He also supports management in assessing the opportunities, risks and effects of pioneering and sustainable technology decisions.