Security Experts:

The Importance of Threat Modeling

In cyber security, it feels like at least once a week there’s a news story that gets people spun up in a panic. While there is no shortage of vulnerabilities and critical issues in the world, not everything applies to everyone. Hence, the importance of threat modeling.

If you’ve never done a threat modeling exercise, you should. At its most basic level, threat modeling asks you to think about ways that things could go wrong, work backwards to understand how your current controls would help, then identify your gaps. Threat modeling is one of the Swiss Army Knives of security, paying dividends over and over once you’ve gotten the hang of it.

Cyber Threat ModelSo why is threat modeling important, and why am I bringing it up? WhatsApp has been talked about a lot in the media over the past few weeks. The communications tool, now a part of FaceBook, provides its users with end-to-end encrypted communications and now voice and video calls. A researcher recently uncovered a mechanism the WhatsApp developers implemented to support usability, that under certain restricted circumstances, could possibly enable a third party to break that end-to-end secrecy model. Now comes the interesting part – the part where our industry peers put their tinfoil hats on and panic over “a backdoor for government spying.” SecurityWeek covered the news here. Make sure you read to the bottom.

So, what does this circus have to do with threat modeling? Frankly it perfectly illustrates how when you aren’t sure what you should be worried about, you worry about everything. Meteor strikes … a very real possibility but I’m not worried about it. Just like I’m not worried about zombies yet. I’m also not worried that a nation-state will hack my home network. Why do I not worry about these things? Simple. I’ve thought through a threat model –  nation states, zombies and meteors are not at the top of my list of threats.

That isn’t to say the things above aren’t threats to me – it’s just that there are things that I worry about that have a higher likelihood and more direct impact (and they’re likely things I can do something about, unlike meteors). Makes sense?

Let’s now apply this to our enterprise security roles. Do you ever find yourself trying to protect your organization from exotic attack scenarios that are highly unlikely or that would have a minimal impact on you? Or are you focusing on the statistically likely ways you’ll be attacked and fortifying those gaps? Are you more concerned that someone will develop or exploit a zero-day attack against your CEO’s iPad or that half of your company hasn’t received the Windows patch set from last month? Which is more likely, and more likely to cause you harm? These are things to consider.

Just for giggles – how do you know the difference? My friends, it’s impossible to protect and defend against everything bad that could happen. But you know that. So, the most important action you can take is to educate yourself and your teams about how to threat model to determine the things that are high impact, high likelihood. These are the ones that we can do something about… the rest are just edge cases that we can have contingency plans for if they ever happen.

view counter
Rafal Los is an industry innovator, strategist, and personality. Currently Rafal is the Vice President of Security Strategy at Lightstream Managed Services where he is responsible for strategy and design of the security practice. His career spans 20+ years while working inside companies from the Fortune 10 to a firm of less than 10. Rafal's strengths include strategic leadership, developing and refining market strategies, business process optimization, and bringing people together to solve complex problems. Most recent achievements include assisting a company in its pivot from infrastructure provider to security-as-a-service by developing a pre-sales strategy and developing a professional services framework; implementing significant changes in business process that led to the company's ability to measure the impacts of various efforts on the sales cycle. Follow Rafal on Twitter: @Wh1t3rabbit.