Head over to our on-demand library to view sessions from VB Transform 2023. Register Here
Each new multi-million-dollar breach or devious, sophisticated hack triggers countless organizations to gravitate toward new cybersecurity tools they think are even more sophisticated. Simply throwing money at the problem doesn’t address the bigger issue.
How do these hackers keep winning?
To get at the core of that issue, the key is threat modeling. This is not some new subscription-based software that keeps you safe; it’s the practice of flipping the equation on its head so you see things the same way a hacker does.
What is threat modeling?
Threat modeling, a common practice in application development, is essentially the same thing as what the insurance world calls “risk analysis.” It offers a better understanding of where threats are coming from and allows you to put mitigating controls in the right places. This leads to not only better security, but potentially lower costs.
VB Transform 2023 On-Demand
Did you miss a session from VB Transform 2023? Register to access the on-demand library for all of our featured sessions.
For instance, if you put up a web application firewall (WAF) behind critical applications, it’s possible you added some protection. For the WAF to work properly, however, it needs to be configured, and an employee needs to maintain it, adding more expense.
What you don’t get in that scenario is any intel as to doors you may have unintentionally left open in your attack surface. According to ESG Research, 69% of organizations have experienced some type of cyberattack that began with the exploit of an unknown, unmanaged or poorly managed internet-facing digital asset.
Going through a threat modeling exercise can have a huge impact across an organization. It’s not just a technical practice that applies to developers. Chief information security officers (CISOs) and chief technology officers (CTOs) should be using this with a top-down approach across all departments they oversee.
There are four primary questions to ask yourself as you conduct a threat modeling exercise to better protect your organization. Let’s dive into each and put them into greater context.
What will hackers target?
To beat the hackers, you need to know what you should be protecting. This requires visibility, which you can gain through an analysis of your attack surface — not just your external-facing assets, but also your internal ones. This complete picture of your organization is what allows you to model against threats.
When organizations run this assessment, they often discover forgotten assets or resources they thought were put up temporarily, like a staging environment, third-party assets or customer assets they forgot they deployed.
Consider risk through the CIA triad: Confidentiality, Integrity and Availability. If the confidentiality of a database is exposed, how much risk are you exposed to? Even if it’s not exposed — let’s say someone tampered with the database — how does its lack of integrity affect the organization? What are the implications if a distributed denial of service (DDoS) attack takes the database out and it’s no longer available?
It’s when that risk comes to light that practitioners can start getting defensive and try to downplay the danger. Don’t make this exercise about blame! To get a better security posture you need to acknowledge that risk and then act on it.
What can go wrong?
Hackers try to cause the most damage possible. They’ll assume that your most critical business assets are well protected, and instead try to target something you’re not paying attention to. Those blind spots are what often cause organizations the biggest headaches.
Think of this on a more tangible scale. Let’s say the back door of your house has a deadbolt and a lock on the handle — but you also have a doggie door. It may not be how you get into the house, but you better believe if someone is trying to break in, they’d use it. The same goes for your organization’s attack surface.
If you have a misconfigured web server or forgot that you still had active resources from your old cloud infrastructure, that’s how hackers may gain entry and start moving around. This is where things can extrapolate quickly to third parties and supply chains. According to ESG, eight out of 10 organizations experienced a supply-chain breach, yet only 22.5% monitor their entire supply chain.
What are we doing about it?
As you build a threat model you need to prioritize the likelihood of events. Maybe a hacker wouldn’t find your old cloud resources, but is it more plausible that your domain is misspelled? What’s the likelihood that a customer types that in and is hit with a spoofing attack?
You need to put mitigating controls in place for the threats you think are most likely once you’ve uncovered them all. The starting point for controls is typically firewalls because they cover what the organization knows about. Intrusion detection and prevention systems are also common, as are content delivery networks. But none of those controls affect the unknowns that the organization isn’t aware of.
Are we doing a good enough job?
Because organizations typically don’t have a full understanding of their attack surfaces, there’s usually more that could be done to protect them. Threat modeling forces everyone to think more creatively. Once you know what that attack surface looks like, how can you limit the threats? It’s one thing to acknowledge the strategy, it’s another to implement it for your organization.
A quick way to reduce risk is to take down assets that aren’t in use. They only pose a threat if there’s no business logic for them to still be on your network. Without them, you cut off paths that a hacker can follow to compromise your organization.
Instead of wasting a security budget throwing money at the potential risk of a breach, threat modeling can show you where your vulnerabilities are. It reminds you that those forgotten resources still exist, and pose a potential threat. Having this layer of visibility gives you the best shot at beating the hackers before they can gain access to your network.
Marcos Lira is lead sales engineer at Halo Security.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing an article of your own!