Mitigating Cyber Exposure with Threat Modeling
Deeper Dives: Q&A with Barbara Cosgriff, Principal Technologist, Intelligent Systems Security
We recently hosted a webinar called Mitigating Cyber Exposure with Threat Modeling, providing insights and clarity on how threat modeling helps you visualize risk, see patterns, and understand change within intelligent connected systems. If you haven’t checked out this webinar, you can here.
Below are key insights from the discussion:
How would you summarize threat modeling and how it works within intelligent connected systems?
Threat modeling is an organized approach to documenting components of your architecture in the form of data-flow diagrams, then assessing the security threats to the assets that you’re trying to protect and the resilience of the systems architecture to these threats. It is a set of methodologies that security experts and software developers use, starting at the design stage. It requires end-to-end analysis of the architecture design, which includes considering every entry point, every exit point, trust boundaries and known threats to the components of intelligent connected systems. This analysis serves as the basis for prioritizing and implementing the long-term security controls in your system.
Threat modeling enables informed decision-making when assessing cyber risks, providing you actionable insights about what needs fixing. It is an essential component of building, deploying, and managing secure software. Organizations that embrace threat modeling gain a security advantage through their ability to protect sensitive data, to establish preventative measures to mitigate the impact of a data breach, and to enhance their overall security posture.
Why is it important to identify threats during design?
The cost of remediating vulnerabilities or any types of bugs gets more expensive the closer you get to deployment. Finding defects, especially security defects, then repairing them and deploying patches can cost as much as 100 times more in deployed systems versus during the development phase.
Critical decisions made at the design phase about infrastructure, design components, and data flow, all of which could be vulnerable to threats, are not easily reversible. If we don’t make the right security decisions at design time, we risk an expensive fix later. We also risk a security vulnerability with product in the field and not finding this vulnerability before an attacker does.
How has the emergence of intelligent edge systems evolved the landscape of threat modeling for product managers?
Currently, security has to be in the forefront for everyone involved, whereas if you go back a decade or two, especially on the product security side, only those systems that were deemed most critical had a high security focus. But with the attacks across the world right now, every product and every connected device has to be secure.
The physical and network boundaries, previously under the control of the enterprise infrastructure are gone. So, ready or not, we’re a connected society. With that connectedness comes risks that can shut down a business or even take down our most critical infrastructures. So, as product managers, it’s important that we get all the security requirements documented and that we follow emerging threats, as this is an ever-changing landscape.
How does threat modeling further apply in the design of intelligence edge systems?
In most cases, the physical layer of protection has been removed, and we have devices all over the place. Consider the restrictions and protections around accessing the physical data centers, where the software and the hardware are located. And now consider devices such as intelligent medical devices that are now physically distributed. These are easily accessible, and someone could tamper with them. These are situations that we originally didn’t think about when we were threat modeling.
The loss of physical access control has greatly impacted the attack surface of the intelligent edge, which now extends far beyond the data center. The attack surface broadens because it now also entails knowing what the devices connect to, and what happens if we connect them to something else. You need to consider the threats when someone has access to a system in your car, or your key fob.
How do we establish controls for intelligent edge systems?
Now we must consider how we protect those other assets that we can’t physically control. So that's why we’re ensuring that we have a secure boot and other anti-tampering techniques on those systems as well as other security controls that sit above that OS layer. So originally in threat modeling, we had things like access control/certificates to know that we were talking to the right server and the right client. Now we must extend those controls to have the capability to establish a baseline in determining whether data, software, or an operating system has been tampered with. So we need to identify, define, control, and resolve new threats. The data flow within a design is the basis of threat modeling.
When you threat model the intelligent system you have to consider the whole connected continuum.