Enterprise Threat Modeling Provides the Needed Real-Time, Dynamic Perspective
by Archie Agarwal, CISSP
CEO & Founder
ThreatModeler Software, Inc
Cyber attacks and the associated risks are considered the number one concern by business leaders in advanced economies around the world. Leaders also perceive risks associated with cyber attacks as being the most likely risks to intensify in 2018. The identified attempts of attackers to locate and compromise system vulnerabilities rose a staggering 82% through the last half of 2017 alone, and the trending increase in new, advanced threats shows no signs of abatement. New exploit kits readily available on the dark web such as Sundown, RIG, and Neutrino allow even armature attackers to automate vulnerability searches, use advanced technologies to conceal the harvest of information, distribute ransomware or other malware payloads, or push persistent means to lure unsuspecting or unwary internet users.
Two-thirds of enterprises report the evolving threat landscape tops their list of business risks, yet only 20% of survey respondents are highly confident that their organization can manage and mitigate these risks.
At issue is more than the cost and reputational harm of a data breach. At worst a data breach presents a $50 million liability to a company with more than $1 billion in revenue – a material matter for the annual report, but nothing that cannot be overcome by a mature enterprise in 12 to 18 months. Equifax shares, for example, fell 34% in value immediately following their September 2017 announcement of a massive data breach, resulting in a loss of market value of almost $5.5 billion. However, in just five months shares in Equifax are trading 23% higher, and the company’s market value has rebounded by 43%.
This is not to say, as some have suggested, that it may not be worthwhile to recognize security events between reporting periods. On the contrary, the ability of large organizations to bounce back after a data breach is indicative only of the resiliency and resources that went into making a large enterprise. Furthermore, a breach of confidential consumer information, while potentially resulting in material reputational damage to the breached organization and substantial collateral damage collectively for the individuals connected with the breached information, is not the most significant cyber risk faced by businesses.
The bulk of a company’s value today – 80% or more – is derived from intangible assets. For companies on the S&P 500, intangible assets contribute up to 90% of market value. The point is, while public outrage, media attention, and hard-hitting regulations like the soon-to-be-enforced GDPR focus attention on the beaches of customer information, there is much more at stake. The loss of proprietary intellectual property, pre-published financials, or internal communiqués to a competitor through cyber espionage, even if eventually detected and legally defended, can materially harm a company or jeopardize its status as a going concern. Despite what is at stake, nearly three-quarters of organizations are “cyber novices,” having neither the strategy nor the execution to mitigate the risk of a potential or realized cyber-attack.
Interestingly, though, even if an organization is ranked among the elite 11% “cyber-experts,” they are just as likely to report a security incident as novice-level organizations. Apparently, attackers armed with automated exploit kits are not easily deterred by the number of guards at the gate or the defensive technology that may be in place. Increased spending alone on security technologies does not produce a more secure cyber environment.
In response, many business leaders, most notably from within the cyber insurance industry, are calling for better quantification of organizations’ cyber-exposure. The challenge, however, with which insurance providers and their customers struggle, is that quantifying cyber risk is fundamentally different from quantifying other types of risks.
Unlike traditional risk-assessment environments, an organization’s cyber environment is dynamic. Data moves to and fro throughout the office, even around the world, on a regular basis. The data is continuously changing, increasing, and being used to create new data. New applications are continually introduced. Cloud-based deployment environments expand and contract on demand. The number of IoT and mobile devices connected to the organization’s IT system continuously increases and often adds unowned and uncontrolled attack surface exposure. Moreover, organizations are increasingly bringing online industrial control and other cyber-physical systems to digitally operate everything from manufacturing plant equipment to office air conditioners. Executives and insurers cannot quantify an organization’s cyber-exposure unless and until they understand their threat portfolio and attacker population across the entire cyber ecosystem.
Security practitioners have attempted to understand the threats and attack patterns relevant to new applications through threat mapping for almost two decades. Threat mapping provides generalized understanding based on data flow diagrams of how individual assets can be attacked through the application being analyzed. Because it tends to be a slow, resource-intensive activity, however, the scope of what an organization can realistically investigate with threat mapping is annually limited to a few critical and high-risk applications in isolation – barely scratching the even the tip of an enterprise’s digital ecosystem. The result is that organizations can only attempt quantification of their cyber risk exposure based on static framework audits and analysis of cyber event histories. Doing so is about as expedient as navigating your commute to work while only looking in your rearview mirror. The mirror has its necessary function, but you need to be forward-looking to quantify and manage risk effectively.
Organizations need to develop a comprehensive, rigorous, structured set of security policies and processes that drive security end-to-end – before the incident or breach happens. The only way to achieve this within a dynamic environment is with enterprise threat modeling. Enterprise threat modeling analyzes the overall security risk posture across the full IT ecosystem – including the highly complex, multi-phased attack paths employed by today’s APT actors. Whereas threat mapping scratches the tip of the IT security iceberg, enterprise threat modeling allows organizational stakeholders to collaboratively hold the iceberg in their hands and view it from multiple perspectives. Enterprise threat modeling provides the “big picture,” in real-time, of the organization’s dynamic security posture. Automated enterprise threat modeling does for executives and security leaders what looking out the front window does for commuters on their way to work – to see what is coming, to quantify the risks, and to take the appropriate action before an event occurs.
About the Author
Anurag “Archie" Agarwal, CISSP, is the Founder & CEO of ThreatModeler Software, chief technical architect of ThreatModeler™, and the principal author of the VAST (Visual, Agile, and Simple Threat modeling) methodology. Archie has more than 20 years of real-world experience in threat and risk analysis and has been instrumental in the successful implementation of secure software development processes at a number of Fortune 1000 companies, thereby minimizing their exposure to cyber threats and improving their ability to mitigate risks. Before founding ThreatModeler Software in 2010, he was the Director of Education Services at WhiteHat Security.
Security Starts with ThreatModeler™ - the Industry's #1 Automated Threat Modeling Platform.
ThreatModeler™ is an innovative enterprise threat modeling platform that helps organizations fully integrate security into their SDLC and realize sustainable ROI on their security resources. The centralized threat framework automatically and seamlessly integrates security within existing agile and DevOps workflows. By identifying and mitigating potential security threats early in the SDLC – prior to implementing SAST and DAST, ThreatModeler™ simplifies efforts associated with developing secure applications. ThreatModeler™ then empowers enterprise IT organizations to map their unique secure requirements and policies directly into their enterprise cyber ecosystem – providing real-time situational awareness about their current threat portfolio and risk conditions.
ThreatModeler was specifically identify by Gartner in their Hype Cycle for Application Security, 2017, for automating “security requirements definition, risk assessment, and threat modeling,” with SDLC integration, which “can dynamically highlight potential security ramifications of functional requirements.”
ThreatModeler was awarded 1st place Winner of the Cybersecurity Excellence Award, 2017 and 2018, in the category of threat modeling product.
ThreatModeler was awarded Winner of the Cybersecurity Excellence Award, 2017 and 2018, in the category of threat modeling product.
Senior Director of Marketing
ThreatModeler Software, Inc
101 Hudson St
Jersey City, NJ 07302
 Drzik, John. “Cyber Risk is a Growing Problem. So how can we prepare?” World Economic Forum: New York. January 17, 2018.
 “Threat Landscape Report Q4 2017.” FortInet, Inc: Sunnyvale. February 2018.
 “By the Numbers: Global Cyber Risk Perception Survey.” Marsh LLC: New York. February 2018.
 Kvochko, Elena and Rajiv Pant. “Why Data Breaches Don’t Hurt Stock Prices.” Harvard Business Review. Harvard Business Publishing: Brighton. March 31, 2015.
 Skroupa, Christopher P. “How Intangible Assets are Affecting Company Value in the Stock Market.” Forbes. Forbes Media: Jersey City. November 1, 2017.
Covering hot topics in the industry, new research, trends, and event coverage.