How to build a risk threat model

Experts at Rapid 7’s United security summit share advice on building a risk threat model to get the resources you need

Each business is different and requires diverse security measures and best practices, yet each security division runs into similar barriers when trying to convince management to loosen the purse strings.  

Security experts shared their tips and advice on how to build a risk threat model, at Rapid7’s United security summit 2013.

John Pescatore, director emerging security trends at SANs believes different environments require different security gauges.

“A car has a check light for when running out of gas," said Pescatore. "A boat has different gauges to not just gas but to show depth. A plane has gauges on gas, if the wings are level, etc. All environments are different and require different protections. Attackers target anyone that has information that be sold.”

According to Pescatore a typical risk management framework will:

  • Categorise information systems
  • Select security controls
  • Assess security controls
  • Implement security controls
  • Access security controls
  • Authorise information systems
  • Monitor security controls  

“This is how they used to build battleships and then crack the champagne on the side and watch it sink. To get the compliant ship, no one checked if it could float,” he said.  

Pescatore said threats have moved from random attacks to target attacks so you need to establish a baseline and ask who are the stakeholders? The directors, regulators, CIO, CISO? What is the timeframe and budget? What are your options?

In building your risk threat model, he advised:

  • Do an internal assessment with full external assessment with pen testing audit approach?
  • Do you know from where you are starting and does your management believe you?
  • Use critical security controls to focus
  • Use continuous monitoring capabilities
  • What coming business technology will cause a breakage? Threat and monitoring preparedness is important as it is not unusual to find evidence of an active compromise.
  • Activate incident response – who has the authority to unplug? When you’re bleeding this is the time to go for the money. The key is to say what you need to enhance and shield the environment as a justification.
  • Protect the crown jewels – shield, replace and enhance.

He said companies tend to lack in areas such as controls which may have been implemented but are not mature. Typical problem areas here can include a lack of vulnerability and configuration management basics, no advanced threat visibility and no real application security.

However he added that common barriers to progress include the fear of cloud and BYOD compliance, thoughts like “the user will never… management will never.”

To overcome these barriers, he suggests you: “Show mapping from controls to compliance. BYOD and cloud use as new initiatives that are important for rapid roll-out. Look for the low-hanging fruit for quick wins. Focus on breach risk, not on compliance risk. Think about what the likely target it. Protect, stop-look-listen and update.

“How do some business leads end up getting backing from management? They show that you need to always know where you are. You need to show that you know you are in 5ft of water not 5ft as a boat gage knows.”

Getting management to listen in healthcare

Chad Currier, IT infrastructure director at Cardinal Innovations Healthcare Solutions, said: “Something I struggle with is that most people consider security as a pain, like we are trying to make their jobs harder. Some think breaches that are on the news will never happen to them."

The healthcare provider has been using Rapid7’s ControlsInsight, which Currier said he enables him to report back to the management team with metrics that are meaningful to them.

He added: “We have to be agile at all times. With ControlsInsight we can see that we have 250 high-risk work stations. That is out low-hanging fruit and we can go there and do some more digging straight away.

“Healthcare is changing rapidly and ControlsInsight allows me to slice up who has been at the company for a while and who needs some end user training.”

Read more on IT risk management