Organisations that link threat modelling and risk analysis will have a much better understanding of the cyber risks they face, according to Rapid7 European strategic services manager Wim Remes.
Information security is increasingly becoming a boardroom topic, but information security professionals typically struggle to express risk in terms that the board understands.
That is assuming they themselves really understand exactly what cyber risks their particular organisation is facing in the first place.
Remes believes the best way to understand an organisation’s vulnerabilities to cyber attack is through threat modelling for both IT infrastructure and IT applications.
“Understanding the attack surface in an organisation can really contribute to understanding the cyber risk the organisation is facing,” he said.
Threat modelling also helps organisations to see beyond specific vulnerabilities to identify and remediate the underlying causes.
“Penetration testing will identify a cross-site scripting vulnerability, for example, but threat modelling will identify the need for secure coding practices to address the underlying cause,” said Remes.
“Penetration test results and vulnerability assessments need to become data that is fed into risk management processes rather than just a list of things to be remediated,” he added.
Remes believes a clear understanding of the attack surface is essential to enabling organisations to prioritise their information security efforts.
“Without a more specific and detailed understanding of risks through threat modelling and penetration testing, it is difficult to prioritise risks in an accurate and meaningful way,” he said.
However, in most organisations there is still not a well-established link between threat modelling and risk management, although some organisations are starting to work in this way.
Better results with detailed view of threats
According to Remes, information security professionals can achieve much better results by getting a detailed view of threats and working with the business to assess the impact on specific data assets.
But, he said, the problem is that threat modelling and risk management tend to be practised in different parts of an organisation and there is little or no interaction between them.
“Ideally, threat modelling should be used to feed risk management equations,” said Remes.
Another problem is that risk management tends to be done periodically and there is very little variation in the way that cyber risks are viewed unless specific risks are highlighted by a penetration test or a new vulnerability disclosure.
Read more about cyber risk management
“But organisations that use threat modelling to feed into their risk management processes are much more focused on the risk profile of the organisation because threat modelling begins with identifying the threats that are applicable to that particular organisation,” said Remes.
“By identifying the threat actors that a particular organisation is facing and identifying the potential weaknesses in that organisation’s IT systems is a much better way to prioritise security efforts than trying to address all threats,” he added.
According to Remes, one way of enabling better connections between threat modelling and risk management is using the factor analysis of information risk [Fair] approach and framework.
“Fair makes it clear that there are business and technical components to risk, it provides more information about the value of the assets and the potential impact of threat events, and it enables an organisation to progress from a qualitative to a more quantitative risk management practice,” he said.
Remes believes that Fair is also a useful way of helping to remove the boundaries between the business and technical units within organisations and making risk less about compliance and more about potential impact of vulnerabilities and weaknesses in systems.
“Fair enables the business and technical sides of an organisation to realise that there are components of risk beyond just those that they understand,” he said.
According to Remes, the result is a better understanding of the risks that face the organisation that help prioritise security activity and can be expressed to the board in terms of impact on the business.
Remes is talking on the topic of strategic attack surface management: involving the business at Infosecurity Europe 2015 from 2-4 June 2015 in London.