This post is about How threat model can reduce cost and time of security. Threat Modeling can be an effective way to reduce cost and time of security. But what makes it effective is how it is implemented. The more effective way you implement it the more effective result you get. In this post we will mention several ways to do it effectively.
To ensure that you have identified threats and set a suitable mitigation for each threat , you need to do threat modeling in the early stages of design or planning. Security issues will be less costly and projects will be delivered on time when threat modeling is done earlier. There is a reason why you do it before technical vulnerability management phases, so you know exactly how to act systematically to do the vulnerability assessment result instead of over reacting to them. Without a threat modeling framework before technical vulnerability management, you are no have the full plan and program how to managing enterprise cybersecurity exposure, strategically right and most likely you are fire fighting vulnerability to vulnerability as a result.
Understanding of your organization’s environment and everything inside the environment, help you in predicting how attackers may use and get access to your organization. Thus, you can know how to protect your organization which prevents attacks. Therefore, you are not willing to pay to resolve these attacks. We use the term attack path mapping, it useful to consider those likelihood scenario and context first, and have the countermeasure plan in hand, so you are proactive in managing cyber exposure, no fire fighting. Each round of cyber breach the cost of damage is huge, no just about data lost, it about the company reputation that hard to be measure by the cost alone.
Each stakeholder should have different output of the other stakeholders. And that is because each of them has a different job and each job requires different output so that output can help them in figuring out what they need and require to get their job done. For instance, developers need to know what security requirements they must meet; and engineers need to know security controls and so on. By having the threat modeling and layout attack path and all the potential issues upfront, everyone know their roles and what they need to do by contribute their portion for the cyber defence.
You can monitor the mitigation of the threats you have identified during the development process, by sending the threat model output to CI/CD tool. So, you are up to date and aware if anything happens. The trend is toward DevSecOps, shift from Application security (AppSec) into continuous security integration to streamline everyone tasks, and offloading those tasks that can be automated so you can focus on what matters most.
In this post we have talked about the ways that you can apply to do threat modeling effectively so it can help in reducing cost and time of security. The mentioned ways are: Done threat modeling in the early stages, Threat modeling helps you to better understand attacks, Different outputs for different stakeholders, and Threat modeling output should be sent to ci/cd tools.
Feel free to contact E-SPIN for threat modeling consultancy, be it to coach your team in the workshop come out your own threat modeling or apply some of the established threat model, to help guide the technical vulnerability management, or to mapping it into your DevSecOps solutions.
