Episode 41

Do you see what attackers see? Threat modeling done right

Threat modeling is an intrinsic part of information security governance and needs to be done well. However, research finds that many organizations don't do it well, some are pretty haphazard or chaotic in their approach. In this episode, Marcos Lira, Lead Solutions Engineer at Halo Security, sheds light on how to do threat modeling the right way. The key questions driving the discussion were: a) what is the scope and purpose of threat modeling? b) what have people and organizations been getting wrong about threat modeling? c) what is the right way of doing threat modeling? and d) what is the future of threat modeling?


Time Stamps

01:45 -- Please share with listeners some highlights of your professional journey.

03:52 -- Marcus, please provide listeners with an overview of Threat Modeling. What is it? What is its purpose?

08:13 -- Threat Modeling is such an intrinsic part of information security governance, and it is so important that it's done well. However, my research finds that many organizations don't do it well. Some are pretty haphazard or chaotic about it. Some want to focus on a few applications and are hasty about it. Your thoughts?

14:06 -- There's a lot of guidance out there. But that can be overwhelming and create confusion regarding the right way to do threat modeling. Can you provide some clarity?

22:19 -- As a practitioner, what are your thoughts about the future of threat modeling?

24:23 -- Please share your final thoughts and help us wrap up the episode for today.


Memorable Marcos Lira Quotes/Statements

"You can't make informed decisions about business without threat modeling."

"What most organizations get wrong is that they believe threat modeling will slow the business down."

"What most people get wrong about threat modeling is that it is time-consuming, cumbersome, and confusing because there are so many methodologies out there."

"Threat modeling is a proactive approach. It's going to help the organization decrease costs over time."

"The threat modeling manifesto said it best -- the right way of doing threat modeling is by answering four questions: a)what are we currently working on? b) What can go wrong? c) What are we going to do about it? d) And if we did a good enough job?"


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Introducer:

the book Cybersecurity Readiness: A Holistic and

Introducer:

High-Performance Approach, a SAGE publication. He has been

Introducer:

studying cybersecurity for over a decade, authored and edited

Introducer:

scholarly papers, delivered talks, conducted webinars and

Introducer:

workshops, consulted with companies and served on a

Introducer:

cybersecurity SWAT team with Chief Information Security

Introducer:

Officers. Dr. Chatterjee is Associate Professor of

Introducer:

Management Information Systems at the Terry College of

Introducer:

Business, the University of Georgia. As a Duke University

Introducer:

Visiting Scholar, Dr. Chatterjee has taught in the Master of

Introducer:

Engineering in Cybersecurity program at the Pratt School of

Introducer:

Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. The discussion today will focus on threat

Dr. Dave Chatterjee:

modeling. Some of the questions driving the discussion are, a)

Dr. Dave Chatterjee:

what is threat modeling? b) what is its purpose? c) what have

Dr. Dave Chatterjee:

people and organizations been getting wrong about threat

Dr. Dave Chatterjee:

modeling? d) what is the right way of doing threat modeling?

Dr. Dave Chatterjee:

and finally, d) what is the future of threat modeling?

Dr. Dave Chatterjee:

Marcos Lira, Lead Solutions Engineer at Halo Security joins

Dr. Dave Chatterjee:

me in shedding light on this very important cybersecurity

Dr. Dave Chatterjee:

governance topic. Welcome, Marcos.

Marcos Lira:

Hi, Dr. Dave. It's a pleasure to be here. Thanks

Marcos Lira:

for having me.

Dr. Dave Chatterjee:

Thank you so much for making time. I know

Dr. Dave Chatterjee:

this is gonna be an exciting session. And I know, listeners

Dr. Dave Chatterjee:

will greatly appreciate your insights. So before we get into

Dr. Dave Chatterjee:

the details of threat modeling, let's talk about you. Please

Dr. Dave Chatterjee:

share with listeners some highlights of your professional

Dr. Dave Chatterjee:

journey.

Marcos Lira:

Absolutely! In preparing for the podcast, I was

Marcos Lira:

doing some research. And it appears that you and I have a

Marcos Lira:

similar background. We both started the it looks like in

Marcos Lira:

finance. So I think you have a degree in accounting. Yes. And

Marcos Lira:

my degree is in finance with the emphasis in financial planning

Marcos Lira:

and taxation. And so the beginning part of my career, I

Marcos Lira:

focus on financial planning, and tax preparation, whatnot. And

Marcos Lira:

about 10 years ago, I decided to pivot to cybersecurity. And it

Marcos Lira:

really happened with the transition of, you know, cloud

Marcos Lira:

adoption and digital transformation in the finance

Marcos Lira:

world. And so this was shortly after, you know, 2010, I began

Marcos Lira:

noticing that a lot of my clients were required to, or

Marcos Lira:

they were being asked by these financial institutions to

Marcos Lira:

submit, you know, their credentials from another bank,

Marcos Lira:

or brokerage, an insurance provider. And they were

Marcos Lira:

aggregating this data on this one platform. I started thinking

Marcos Lira:

to myself, I wonder what kind of security controls are in place,

Marcos Lira:

because there's a lot of data being transferred around these

Marcos Lira:

different institutions and different applications. And so

Marcos Lira:

that got my interest in cybersecurity. And so yeah, the

Marcos Lira:

rest is history. And I've been in the application security

Marcos Lira:

space now for a little, about 10 years.

Dr. Dave Chatterjee:

That's great to hear. And Marcos, I'm

Dr. Dave Chatterjee:

glad you shared, you know, how you stumbled into this field, If

Dr. Dave Chatterjee:

I may. And so did I. And, in fact, I want to take this

Dr. Dave Chatterjee:

opportunity of encouraging many listeners who may not be in this

Dr. Dave Chatterjee:

field, or, and are thinking about getting into this field

Dr. Dave Chatterjee:

and wondering, do they have the right background to get in, my

Dr. Dave Chatterjee:

message to them is, if you are curious, if you're excited, if

Dr. Dave Chatterjee:

you're passionate if you want to learn if you're willing to

Dr. Dave Chatterjee:

adapt, any field is great, including cybersecurity, so

Dr. Dave Chatterjee:

don't hesitate to pivot. We don't have enough time to go

Dr. Dave Chatterjee:

into my my story, so I'll save that for another occasion. But

Dr. Dave Chatterjee:

cybersecurity can benefit from an eclectic influence -- people

Dr. Dave Chatterjee:

with different perspectives needs to jump in. I did an

Dr. Dave Chatterjee:

episode with a very senior leader of a major financial

Dr. Dave Chatterjee:

institution; Okay, and he was emphatic about the importance of

Dr. Dave Chatterjee:

leaders from other functions, getting into the security

Dr. Dave Chatterjee:

function, and he felt that they need to make the security

Dr. Dave Chatterjee:

function more attractive to draw great talent. So this is very

Dr. Dave Chatterjee:

consistent that people from different backgrounds, business

Dr. Dave Chatterjee:

and technical backgrounds are pursuing different activities

Dr. Dave Chatterjee:

within the cyber security domain. So, anyhow, getting back

Dr. Dave Chatterjee:

to our discussion topic threat modeling, Marcos, it might be a

Dr. Dave Chatterjee:

good idea to share with the listeners, provide them an

Dr. Dave Chatterjee:

overview of what threat modeling is, what it's purpose?

Marcos Lira:

Absolutely. In the insurance world, before I

Marcos Lira:

transitioned to cybersecurity; before you can assign a policy

Marcos Lira:

to an individual, you conduct what's called risk analysis. And

Marcos Lira:

you look at all this data, you start assessing the risk

Marcos Lira:

associated with issuing a policy to particular individual or a

Marcos Lira:

business, what have you. And so, during this process, they look

Marcos Lira:

at various risks. And it could be credit, it could be where the

Marcos Lira:

location of the business might be located, where the location

Marcos Lira:

of, you know, for automobile insurance, where the location of

Marcos Lira:

the automobiles are located, how often someone is driving, right.

Marcos Lira:

And what they're doing is they're analyzing threats. And

Marcos Lira:

so with this experience, I started taking a look at the

Marcos Lira:

data that Halo Security provides, which is the

Marcos Lira:

organization I work with. And I started noticing that we provide

Marcos Lira:

a lot of data, which with context, is really threat

Marcos Lira:

intelligence. And so it was data around the attack surface. And

Marcos Lira:

that's when I started connecting the two -- risk analysis, the

Marcos Lira:

data that we provide from an attackers point of view, it's

Marcos Lira:

really threat Modeling, and this data can be utilized for threat

Marcos Lira:

modeling. So what is threat modeling at a high level, it's

Marcos Lira:

really analyzing risk to your assets. And during the threat

Marcos Lira:

modeling exercise, what you want to do is identify threats,

Marcos Lira:

identify any current security controls, any gaps, and at the

Marcos Lira:

end of the day, assess, what are we currently doing, and is it is

Marcos Lira:

efficient to protect our assets. And the asset can be customer

Marcos Lira:

data. It can be, you know, other variations, but that's what

Marcos Lira:

we're looking for. And at the end, it's customer data, or it's

Marcos Lira:

just data in general, right data is the oil. And this century,

Marcos Lira:

the world is powered by data, and data has been accumulating

Marcos Lira:

at a faster rate.

Dr. Dave Chatterjee:

That was a great explanation. To reiterate,

Dr. Dave Chatterjee:

when done well, threat Modeling helps organizations identify

Dr. Dave Chatterjee:

where the risks are, the different sources of risks, and

Dr. Dave Chatterjee:

the types of assets that are vulnerable to the different

Dr. Dave Chatterjee:

forms of threats. Rigorous threat modeling will ensure that

Dr. Dave Chatterjee:

organizations engage in comprehensive asset discovery.

Dr. Dave Chatterjee:

The Cybersecurity and Infrastructure Security Agency

Dr. Dave Chatterjee:

CISA recently issued a directive requiring federal enterprises,

Dr. Dave Chatterjee:

the civilian executive branch, perform automated and

Dr. Dave Chatterjee:

comprehensive asset discovery every seven days. The directive

Dr. Dave Chatterjee:

also requires federal enterprises to initiate

Dr. Dave Chatterjee:

vulnerability, enumeration across all discovered assets

Dr. Dave Chatterjee:

every 14 days. So, threat modeling is such an intrinsic

Dr. Dave Chatterjee:

part of information security governance, and it is so

Dr. Dave Chatterjee:

important that it's done well. However, my research finds that

Dr. Dave Chatterjee:

many organizations don't do it well. Some are pretty haphazard

Dr. Dave Chatterjee:

or chaotic about it. Some want to just focus on a few

Dr. Dave Chatterjee:

applications and are hasty about it. Your thoughts?

Marcos Lira:

Dave, you know, you can't make informed decisions

Marcos Lira:

about business without threat modeling. And so what that means

Marcos Lira:

is it really starts from the top level from the executive level,

Marcos Lira:

down. In order to create a culture of security, it has to

Marcos Lira:

come from leadership. And so if you don't understand the data

Marcos Lira:

flow of your systems, you can't make informed decisions. You

Marcos Lira:

can't decide how best to defend and secure customer data. And so

Marcos Lira:

what most organizations get wrong is that they believe

Marcos Lira:

threat modeling is going to slow the business down. And so what

Marcos Lira:

has happened is that we've dedicated more more of the

Marcos Lira:

resources. And this is what's been communicated to me in my

Marcos Lira:

weekly, daily conversations with, you know, CISOs, CTOs,

Marcos Lira:

leadership personnel, that their resources are spent on reactive

Marcos Lira:

approaches. Right, because that's easier, that's easier to

Marcos Lira:

communicate to the business, it's easier to communicate to

Marcos Lira:

the Board of Directors. While in case of a breach, we have this

Marcos Lira:

in place. And it's either going to contain or it's going to

Marcos Lira:

defend. But they're very slow in in implementing a proactive

Marcos Lira:

approach, which will be less costly over time. And that's

Marcos Lira:

where threat modeling comes into play. It's a proactive approach.

Marcos Lira:

It's going to help you from a business perspective, from a

Marcos Lira:

leadership perspective, it's going to help the organization

Marcos Lira:

decrease costs over time. Because threat modeling is going

Marcos Lira:

to tell you where your gaps are. Right? It's going to identify

Marcos Lira:

those gaps, and it's going to help you better focus those

Marcos Lira:

resources in protecting and securing those gaps. And so

Marcos Lira:

that's what most or most people get wrong about threat modeling,

Marcos Lira:

is, it's time consuming, it's cumbersome. There's, it's so

Marcos Lira:

it's confusing, because there's so many methodologies out there.

Marcos Lira:

There's PASAT, there is DREAD, there's the Microsoft STRIDE

Marcos Lira:

model, right, spoofing, tampering, escalation of

Marcos Lira:

privileges, right, all these different methodologies. And so

Marcos Lira:

they just put their hands up and say, wow, this is too confusing,

Marcos Lira:

I don't know where to start. And let's just be, you know,

Marcos Lira:

reactive, let's just defend. And so I think that's where

Marcos Lira:

organizations get wrong, is it you think it's, it's very

Marcos Lira:

difficult to implement, when in fact, it is not. We threat model

Marcos Lira:

all the time. Dr. Dave, you've threat modeled in your day to

Marcos Lira:

day without even realizing I threat model my day to day

Marcos Lira:

without realizing. The example I've give my clients is, I just

Marcos Lira:

have I just had a newborn, right. She's actually one years

Marcos Lira:

old now. But as soon as I brought my newborn, my newborn

Marcos Lira:

home, the first thing I did was threat model. I started

Marcos Lira:

identifying all the possible threats from the doctor's, from

Marcos Lira:

from the hospital, to my home, right? I get into my car, what

Marcos Lira:

are the possible threats, Oh, the other drivers out there. So

Marcos Lira:

I got to drive defensively, got to make sure my car seats placed

Marcos Lira:

correctly, my baby's secured tightly. Right. When it comes to

Marcos Lira:

the home, I'm gonna make sure my windows have all the proper

Marcos Lira:

locks in place. My doors have all the proper locks in place,

Marcos Lira:

and they are working functionally. Right. So we're

Marcos Lira:

always thinking of the possible threats to an asset. And that's

Marcos Lira:

really what the way organizations view threat

Marcos Lira:

modeling is, well, let's start with what are we trying to

Marcos Lira:

protect? What is an what do we consider an asset to the

Marcos Lira:

organization? And let's start from there. And let's start

Marcos Lira:

identifying the possible threats. So if you think of it

Marcos Lira:

from that perspective, it shouldn't be very difficult

Marcos Lira:

task.

Dr. Dave Chatterjee:

Absolutely. What a wonderful example, when

Dr. Dave Chatterjee:

you talked about being a parent, and trying to proactively gauge

Dr. Dave Chatterjee:

different types of threats to your little daughter, you

Dr. Dave Chatterjee:

essentially conveyed how caring and protective you are. It

Dr. Dave Chatterjee:

really boils down to truly care about securing the enterprise,

Dr. Dave Chatterjee:

the various entities and the relevant assets. You talked

Dr. Dave Chatterjee:

about the different approaches to threat modeling. It could be

Dr. Dave Chatterjee:

attacker centric, it could be asset centric, and it could be

Dr. Dave Chatterjee:

software centric. You also mentioned the different threat

Dr. Dave Chatterjee:

modeling methodologies, such as STRIDE, PASTA and DREAD. So

Dr. Dave Chatterjee:

there's a lot of guidance out there, but that can be

Dr. Dave Chatterjee:

overwhelming. and create confusion regarding what is the

Dr. Dave Chatterjee:

right way to do threat modeling? Can you provide some clarity?

Marcos Lira:

I think the threat modeling manifesto said it best.

Marcos Lira:

And I think the right way of doing threat modeling, it's

Marcos Lira:

answering four questions. In this, this is applicable at

Marcos Lira:

every layer within an organization. And at every

Marcos Lira:

domain, whether it's accounting, whether it's development,

Marcos Lira:

whether it's IT, whether it's business, finance, right, is

Marcos Lira:

what are we currently working on? What can go wrong? What are

Marcos Lira:

we going to do about it? And if we did a good enough job. I

Marcos Lira:

think that is the best approach to threat modeling, is starting

Marcos Lira:

with those four questions. And again, this is applicable to any

Marcos Lira:

layer, at any phase, within an organization. It does not have

Marcos Lira:

to be only applicable on the eyes of development. So let's,

Marcos Lira:

let's think about threat modeling in this context. I like

Marcos Lira:

to use a an example. Think of the Capital One breach that

Marcos Lira:

happened 2019. And the Capital One breach happened, not within

Marcos Lira:

the Capital One network that they have control over. It

Marcos Lira:

happened in a cloud infrastructure, whether it was

Marcos Lira:

shared responsibility. And it happened because of insider

Marcos Lira:

threats at the third party, which was the cloud

Marcos Lira:

infrastructure. And so a lot of the times organizations think,

Marcos Lira:

well, what are we doing? What are we working on? Well, working

Marcos Lira:

on, you know, providing information to our customers

Marcos Lira:

much faster. Okay, so we're going to transfer the

Marcos Lira:

infrastructure of that compute power and the data storage and

Marcos Lira:

what have you to in this case, it was AWS. Right? What can go

Marcos Lira:

wrong? Well, what what's going on in the industry, and what's

Marcos Lira:

happened in my conversation. And I assume what happened with

Marcos Lira:

Capital One is that we're transferring risk, right? And

Marcos Lira:

the thing is, we're not transferring all the risks,

Marcos Lira:

we're transferring some of the risks. And that's why GCP,

Marcos Lira:

Google Cloud, platform, AWS, and Azure all have a part of their

Marcos Lira:

policy, part of their T's (terms) and C's (conditions) is

Marcos Lira:

shared responsibility. Terms and Conditions. Right. And so what

Marcos Lira:

happened with Capital One, with threat modeling could have come

Marcos Lira:

into play, and it could have solved a issue that was

Marcos Lira:

identified was encryption. Right? If Capital One had

Marcos Lira:

encrypted the data, not just in transit, but also at rest, Yes.

Marcos Lira:

Also at rest, right, if Capital One would have encrypted the

Marcos Lira:

data, not just in transit, but also at rest, then it would have

Marcos Lira:

been more difficult for the insider threat to create any

Marcos Lira:

value from that data, right? It would have been useless. And so

Marcos Lira:

that's where you can threat model against third parties. As

Marcos Lira:

we stated earlier, there's there's many methodologies and

Marcos Lira:

each methodology as their own methods of approaching threat

Marcos Lira:

modeling, there are various steps. And the threat modeling

Marcos Lira:

manifesto is, which is what I recommend to our clients. And

Marcos Lira:

our process has been started thinking about implemented

Marcos Lira:

threat modeling, is this simplified? Because you really

Marcos Lira:

only need to answer four questions. Right? And so that

Marcos Lira:

is, what are we working on? What can go wrong? What are we going

Marcos Lira:

to do about it? And did we do a good enough job? In an example,

Marcos Lira:

one of the authors of the manifesto, Adam Shustack, likes

Marcos Lira:

to say, and I think it's a great example. So I'll utilize it here

Marcos Lira:

is, imagine that you have an errand to run. And your phone is

Marcos Lira:

at 20% as far as you know, targeting and charge the 20% and

Marcos Lira:

it's going with battery life. And you have to run this errand,

Marcos Lira:

you have an update, it's a critical update that you have to

Marcos Lira:

run. And so you have, right what are we working on? Well, you

Marcos Lira:

have this errand that you have to run. So you have to leave her

Marcos Lira:

house. Okay. But you have to make the decision. And here's

Marcos Lira:

the threat model comes in, is, do I leave my phone at home?

Marcos Lira:

Charging done with the security update? Or do I take the phone

Marcos Lira:

with me? Because, you know, an accident might happen, I might

Marcos Lira:

need to fund for emergency reasons. That's a decision you

Marcos Lira:

have to make. Right? So that's the, what can go wrong? What are

Marcos Lira:

we going to do about it? Well, you have to make that decision,

Marcos Lira:

right? Leave the phone here, I can take it with me. And the

Marcos Lira:

last thing is, do we do a good enough job. So in this example,

Marcos Lira:

the individual took the phone with him and said, Well, I'm

Marcos Lira:

gonna use, I'm gonna take the phone with me in case of an

Marcos Lira:

emergency, where I'm gonna wait to update the phone with the

Marcos Lira:

security update until I get home. What's at risk, is that

Marcos Lira:

maybe their data is exploited, that maybe, you know, some type

Marcos Lira:

of attack can happen that because they're vulnerable, they

Marcos Lira:

don't have the security updates. So they're vulnerable at the

Marcos Lira:

moment. But that's the risk they decided to accept. Right? And so

Marcos Lira:

did a good enough job. Well, at the end of the night, they were

Marcos Lira:

able to update their phone. It wasn't compromised. And they

Marcos Lira:

were they're good to go. So yes, they did a good enough job. And

Marcos Lira:

so in short, threat modeling is, again, in that example, as as

Marcos Lira:

far as it's just kind of simplifying it with, what are we

Marcos Lira:

working on? What can go wrong? What are we going to do about

Marcos Lira:

it, and did we do a good enough job is address the risk. And now

Marcos Lira:

they had to answer whether they wanted to transfer that risk,

Marcos Lira:

accept that risk, or the mitigating that risk or avoid

Marcos Lira:

the risk which they can. So

Dr. Dave Chatterjee:

Totally agree. Switching gears a little

Dr. Dave Chatterjee:

bit, it's great to know that now, there are tools and

Dr. Dave Chatterjee:

platforms available that facilitate collaboration, and

Dr. Dave Chatterjee:

are very intuitive and easy to use. They help pull together

Dr. Dave Chatterjee:

information from different places to one place quickly.

Dr. Dave Chatterjee:

There are opportunities to customize. And last but not the

Dr. Dave Chatterjee:

least, the reporting capabilities have improved

Dr. Dave Chatterjee:

significantly. As a practitioner, what are your

Dr. Dave Chatterjee:

thoughts about the future of threat modeling?

Marcos Lira:

The future threat modeling, it's going to be it's

Marcos Lira:

going to be more accepted conceptually. Right, because

Marcos Lira:

again, we don't want to get bogged down by the the

Marcos Lira:

intricacies of threat modeling. Because as organizations have

Marcos Lira:

stated, It's too cumbersome. So it will be integrated within the

Marcos Lira:

business as a concept in the way we do security, right? Think of

Marcos Lira:

DevOps, right? The big push was security. And so you get

Marcos Lira:

DevSecOps, right, is you want to code with security in mind. And

Marcos Lira:

so that's the future threat modeling, is you want to build,

Marcos Lira:

you want to move around your organization, with security in

Marcos Lira:

mind. And that's where threat modeling is going to come into

Marcos Lira:

play. It's going to be embedded within the culture of every

Marcos Lira:

business and organization. As we get more comfortable with the

Marcos Lira:

concept of threat modeling, which is really identifying

Marcos Lira:

threats to an asset and understanding what are we

Marcos Lira:

currently doing about it. It can be as simple as doing threat

Marcos Lira:

modeling on a whiteboard, it doesn't have to be difficult.

Marcos Lira:

And again, it can be implemented at every layer of the

Marcos Lira:

organization.

Dr. Dave Chatterjee:

Very true, very true. So we are kind of

Dr. Dave Chatterjee:

coming to towards the end of our discussion. So I want to make

Dr. Dave Chatterjee:

sure that we've covered all the important aspects, and I believe

Dr. Dave Chatterjee:

we have, but for the benefit of the listener listeners, I'll go

Dr. Dave Chatterjee:

through a few items that I have listed here. First and foremost,

Dr. Dave Chatterjee:

we talked about how important threat modeling is. And I love

Dr. Dave Chatterjee:

the way you put it, that threat modeling should be should not be

Dr. Dave Chatterjee:

made into a cumbersome, you know, technically complex

Dr. Dave Chatterjee:

process, it must be approached conceptually, it must be

Dr. Dave Chatterjee:

approached simply, asking fundamental reflective questions

Dr. Dave Chatterjee:

as to, it reminds me of an approach that an organization

Dr. Dave Chatterjee:

used for many, many years, a major organization, they would

Dr. Dave Chatterjee:

call it destroy your business approach DYB. And the CEO would

Dr. Dave Chatterjee:

require the senior leadership during that quarterly meetings,

Dr. Dave Chatterjee:

to make a presentation, where each product unit head had to

Dr. Dave Chatterjee:

share scenarios that would kill that product line. And then they

Dr. Dave Chatterjee:

would also have to present their action plans on how to

Dr. Dave Chatterjee:

proactively avoid those situations. Now, this example

Dr. Dave Chatterjee:

that I shared, this best practice that I shared, was in

Dr. Dave Chatterjee:

the context of any business, it wasn't particularly focused on

Dr. Dave Chatterjee:

cybersecurity. But the underlying principle is so

Dr. Dave Chatterjee:

applicable that you have to be able to constantly do this

Dr. Dave Chatterjee:

threat analysis, threat scenario analysis, and use that analysis

Dr. Dave Chatterjee:

to identify areas for improvement areas for

Dr. Dave Chatterjee:

weaknesses. And then, wherever appropriate, bring in the

Dr. Dave Chatterjee:

relevant tools, often it's a combination of tools, processes

Dr. Dave Chatterjee:

and people. Another thing that you you mentioned, which is so

Dr. Dave Chatterjee:

important, that threat modeling should never be undertaken in a

Dr. Dave Chatterjee:

siloed manner. It should start, if you look at the software

Dr. Dave Chatterjee:

development lifecycle, it should be embedded in the lifecycle

Dr. Dave Chatterjee:

through all the phases, starting with the design, I love the way

Dr. Dave Chatterjee:

you explained DevOps security, that security by design,

Dr. Dave Chatterjee:

security, should be built into the design and development of a

Dr. Dave Chatterjee:

system by default. And that's when an organization has started

Dr. Dave Chatterjee:

to really institutionalize threat modeling. You know,

Dr. Dave Chatterjee:

that's, that's where we need to we need to go. The good news is

Dr. Dave Chatterjee:

that many of the threat modeling tools that are available today

Dr. Dave Chatterjee:

are open source. And they provide amazing capabilities.

Dr. Dave Chatterjee:

For instance, one is able to gather threat intelligence from

Dr. Dave Chatterjee:

the different threat libraries. They offer dashboards, that

Dr. Dave Chatterjee:

shows data from threat intelligence and offer

Dr. Dave Chatterjee:

mitigation options. They can be they can be scaled up to meet

Dr. Dave Chatterjee:

business needs. They integrate very well with the business

Dr. Dave Chatterjee:

infrastructure. And last but not least, they offer very robust

Dr. Dave Chatterjee:

reporting capabilities. I would never recommend a particular

Dr. Dave Chatterjee:

platform over the other. That is never the intent of this

Dr. Dave Chatterjee:

episode. In fact, that undermines the credibility of

Dr. Dave Chatterjee:

this episode. But what I always like to do is in collaboration

Dr. Dave Chatterjee:

with my subject matter expert guest, today, we have Marcos,

Dr. Dave Chatterjee:

I'd like to offer guidance to organizations when they're

Dr. Dave Chatterjee:

trying to make this call. And that guidance is especially

Dr. Dave Chatterjee:

relevant because while you can hire third party expertise for

Dr. Dave Chatterjee:

threat modeling, but considering how intrinsic how centric threat

Dr. Dave Chatterjee:

modeling is to overall security governance, it is imperative

Dr. Dave Chatterjee:

that an organization develops in-house competency in-house

Dr. Dave Chatterjee:

capability, as opposed to oh, this is something we don't want

Dr. Dave Chatterjee:

to deal with. Let's get an outside vendor do it for us.

Dr. Dave Chatterjee:

That doesn't serve the purpose. And so I would strongly urge

Dr. Dave Chatterjee:

organizations to make that investment in people, in

Dr. Dave Chatterjee:

process, in technology, to develop threat modeling skills,

Dr. Dave Chatterjee:

capabilities in-house. But having said that, I'll pass it

Dr. Dave Chatterjee:

over to Marcos. Marcus, please share your final thoughts and

Dr. Dave Chatterjee:

help us wrap up the episode for today.

Marcos Lira:

Yes, Threat Modeling is you know, it is a

Marcos Lira:

concept. It's a process. It's applicable to every layer, every

Marcos Lira:

domain of an organization. It should not be relied on, purely

Marcos Lira:

on automation, purely on a software tool, it has a manual

Marcos Lira:

component to it, you gotta you know, in order to think of all

Marcos Lira:

the possible threats out there, you know, you got to take an

Marcos Lira:

attackers perspective. The next point I wanted to make is threat

Marcos Lira:

modeling for assets that you know of, it's easier. But for an

Marcos Lira:

organization, you got to think about the assets that you have

Marcos Lira:

forgotten, that have been misconfigured over time, that

Marcos Lira:

have been poorly managed over time. And I think it's more

Marcos Lira:

important now than ever to threat model against those

Marcos Lira:

assets. And in order to really have an understanding of the

Marcos Lira:

attack surface, you do need a attack surface management tool.

Marcos Lira:

And the first part of the attack surface management tool, or the

Marcos Lira:

foundational layer of that is discovery. And that's where

Marcos Lira:

reconnaissance comes into play. Right? Reconnaissance is the

Marcos Lira:

first step of the cyber kill chain, we think of from an

Marcos Lira:

attackers point of view. You think of NIST, it's identify,

Marcos Lira:

right, you have to identify what's on your attack surface.

Marcos Lira:

That's the only way that you can defend against those assets. And

Marcos Lira:

so threat modeling, the very first step is reconnaissance is

Marcos Lira:

discovery. It's identify all the assets on the attack surface,

Marcos Lira:

and then model against those assets. Right, well, possible

Marcos Lira:

threats. And maybe you avoid the threat. And by avoiding the

Marcos Lira:

threat, I mean, you take down the asset, and the asset does

Marcos Lira:

not serve a purpose, it does not need to be on the attack

Marcos Lira:

surface. So you take that asset down. Right? That is one of the

Marcos Lira:

best approaches, is reducing the attack surface, this is gonna

Marcos Lira:

make a lot, this is gonna make threat modeling much easier.

Marcos Lira:

When you start thinking of data flows, the world is now powered

Marcos Lira:

by API's. And we're moving from a culture of everything's

Marcos Lira:

housed, everything is the infrastructure is in-house to

Marcos Lira:

everything is as-a- service, software as a service,

Marcos Lira:

infrastructure as a service, when you got to start thinking

Marcos Lira:

of the possible threats along those connections, because now

Marcos Lira:

we're connecting to what we call trust boundaries. Right, my data

Marcos Lira:

that comes in from a source that I have full control over, maybe

Marcos Lira:

will utilize a CRM for Salesforce. And so now I have a

Marcos Lira:

third party that's providing me software as a service. And we're

Marcos Lira:

transferring our customer data to that CRM. Well, that's PII

Marcos Lira:

that's hosted at a third party. So now I got a threat model

Marcos Lira:

against that third party. And so threat modeling, it's not just

Marcos Lira:

for your organization, it should really be expanded to all the

Marcos Lira:

trusted boundaries you have along your network. And so, yes,

Marcos Lira:

I would. So my takeaways are, again, you know, utilize a an

Marcos Lira:

attack surface management solution to identify all the

Marcos Lira:

assets on the attack surface. Second, reduce or in this case,

Marcos Lira:

avoid risk by reducing the attack surface. And then lastly,

Marcos Lira:

apply threat modeling, to the assets that remain on the attack

Marcos Lira:

surface, this process will become much easier, you will be

Marcos Lira:

able to identify your gaps much faster, identify weaknesses,

Marcos Lira:

identify vulnerabilities. It's all going to be much faster once

Marcos Lira:

you have an understanding of what's out there, what are the

Marcos Lira:

attackers seeing from their perspective?

Dr. Dave Chatterjee:

Fantastic. Well, I really appreciate your

Dr. Dave Chatterjee:

time Marcos. It's been a pleasure having you on this

Dr. Dave Chatterjee:

episode, and I look forward to many more interesting

Dr. Dave Chatterjee:

conversations. And I know listeners greatly appreciated

Dr. Dave Chatterjee:

your insights. Thank you again. A special thanks to Marcos Lira

Dr. Dave Chatterjee:

for his time and insights. If you like what you heard, please

Dr. Dave Chatterjee:

leave the podcast a rating and share it with your network.

Dr. Dave Chatterjee:

Also, subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization

Next Episode All Episodes Previous Episode

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

Listen for free

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.