Threat modeling is an intrinsic part of information security governance and needs to be done well. However, research finds that many organizations don't do it well, some are pretty haphazard or chaotic in their approach. In this episode, Marcos Lira, Lead Solutions Engineer at Halo Security, sheds light on how to do threat modeling the right way. The key questions driving the discussion were: a) what is the scope and purpose of threat modeling? b) what have people and organizations been getting wrong about threat modeling? c) what is the right way of doing threat modeling? and d) what is the future of threat modeling?
Time Stamps
01:45 -- Please share with listeners some highlights of your professional journey.
03:52 -- Marcus, please provide listeners with an overview of Threat Modeling. What is it? What is its purpose?
08:13 -- Threat Modeling is such an intrinsic part of information security governance, and it is so important that it's done well. However, my research finds that many organizations don't do it well. Some are pretty haphazard or chaotic about it. Some want to focus on a few applications and are hasty about it. Your thoughts?
14:06 -- There's a lot of guidance out there. But that can be overwhelming and create confusion regarding the right way to do threat modeling. Can you provide some clarity?
22:19 -- As a practitioner, what are your thoughts about the future of threat modeling?
24:23 -- Please share your final thoughts and help us wrap up the episode for today.
Memorable Marcos Lira Quotes/Statements
"You can't make informed decisions about business without threat modeling."
"What most organizations get wrong is that they believe threat modeling will slow the business down."
"What most people get wrong about threat modeling is that it is time-consuming, cumbersome, and confusing because there are so many methodologies out there."
"Threat modeling is a proactive approach. It's going to help the organization decrease costs over time."
"The threat modeling manifesto said it best -- the right way of doing threat modeling is by answering four questions: a)what are we currently working on? b) What can go wrong? c) What are we going to do about it? d) And if we did a good enough job?"
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712
Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Introducer:the book Cybersecurity Readiness: A Holistic and
Introducer:High-Performance Approach, a SAGE publication. He has been
Introducer:studying cybersecurity for over a decade, authored and edited
Introducer:scholarly papers, delivered talks, conducted webinars and
Introducer:workshops, consulted with companies and served on a
Introducer:cybersecurity SWAT team with Chief Information Security
Introducer:Officers. Dr. Chatterjee is Associate Professor of
Introducer:Management Information Systems at the Terry College of
Introducer:Business, the University of Georgia. As a Duke University
Introducer:Visiting Scholar, Dr. Chatterjee has taught in the Master of
Introducer:Engineering in Cybersecurity program at the Pratt School of
Introducer:Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. The discussion today will focus on threat
Dr. Dave Chatterjee:modeling. Some of the questions driving the discussion are, a)
Dr. Dave Chatterjee:what is threat modeling? b) what is its purpose? c) what have
Dr. Dave Chatterjee:people and organizations been getting wrong about threat
Dr. Dave Chatterjee:modeling? d) what is the right way of doing threat modeling?
Dr. Dave Chatterjee:and finally, d) what is the future of threat modeling?
Dr. Dave Chatterjee:Marcos Lira, Lead Solutions Engineer at Halo Security joins
Dr. Dave Chatterjee:me in shedding light on this very important cybersecurity
Dr. Dave Chatterjee:governance topic. Welcome, Marcos.
Marcos Lira:Hi, Dr. Dave. It's a pleasure to be here. Thanks
Marcos Lira:for having me.
Dr. Dave Chatterjee:Thank you so much for making time. I know
Dr. Dave Chatterjee:this is gonna be an exciting session. And I know, listeners
Dr. Dave Chatterjee:will greatly appreciate your insights. So before we get into
Dr. Dave Chatterjee:the details of threat modeling, let's talk about you. Please
Dr. Dave Chatterjee:share with listeners some highlights of your professional
Dr. Dave Chatterjee:journey.
Marcos Lira:Absolutely! In preparing for the podcast, I was
Marcos Lira:doing some research. And it appears that you and I have a
Marcos Lira:similar background. We both started the it looks like in
Marcos Lira:finance. So I think you have a degree in accounting. Yes. And
Marcos Lira:my degree is in finance with the emphasis in financial planning
Marcos Lira:and taxation. And so the beginning part of my career, I
Marcos Lira:focus on financial planning, and tax preparation, whatnot. And
Marcos Lira:about 10 years ago, I decided to pivot to cybersecurity. And it
Marcos Lira:really happened with the transition of, you know, cloud
Marcos Lira:adoption and digital transformation in the finance
Marcos Lira:world. And so this was shortly after, you know, 2010, I began
Marcos Lira:noticing that a lot of my clients were required to, or
Marcos Lira:they were being asked by these financial institutions to
Marcos Lira:submit, you know, their credentials from another bank,
Marcos Lira:or brokerage, an insurance provider. And they were
Marcos Lira:aggregating this data on this one platform. I started thinking
Marcos Lira:to myself, I wonder what kind of security controls are in place,
Marcos Lira:because there's a lot of data being transferred around these
Marcos Lira:different institutions and different applications. And so
Marcos Lira:that got my interest in cybersecurity. And so yeah, the
Marcos Lira:rest is history. And I've been in the application security
Marcos Lira:space now for a little, about 10 years.
Dr. Dave Chatterjee:That's great to hear. And Marcos, I'm
Dr. Dave Chatterjee:glad you shared, you know, how you stumbled into this field, If
Dr. Dave Chatterjee:I may. And so did I. And, in fact, I want to take this
Dr. Dave Chatterjee:opportunity of encouraging many listeners who may not be in this
Dr. Dave Chatterjee:field, or, and are thinking about getting into this field
Dr. Dave Chatterjee:and wondering, do they have the right background to get in, my
Dr. Dave Chatterjee:message to them is, if you are curious, if you're excited, if
Dr. Dave Chatterjee:you're passionate if you want to learn if you're willing to
Dr. Dave Chatterjee:adapt, any field is great, including cybersecurity, so
Dr. Dave Chatterjee:don't hesitate to pivot. We don't have enough time to go
Dr. Dave Chatterjee:into my my story, so I'll save that for another occasion. But
Dr. Dave Chatterjee:cybersecurity can benefit from an eclectic influence -- people
Dr. Dave Chatterjee:with different perspectives needs to jump in. I did an
Dr. Dave Chatterjee:episode with a very senior leader of a major financial
Dr. Dave Chatterjee:institution; Okay, and he was emphatic about the importance of
Dr. Dave Chatterjee:leaders from other functions, getting into the security
Dr. Dave Chatterjee:function, and he felt that they need to make the security
Dr. Dave Chatterjee:function more attractive to draw great talent. So this is very
Dr. Dave Chatterjee:consistent that people from different backgrounds, business
Dr. Dave Chatterjee:and technical backgrounds are pursuing different activities
Dr. Dave Chatterjee:within the cyber security domain. So, anyhow, getting back
Dr. Dave Chatterjee:to our discussion topic threat modeling, Marcos, it might be a
Dr. Dave Chatterjee:good idea to share with the listeners, provide them an
Dr. Dave Chatterjee:overview of what threat modeling is, what it's purpose?
Marcos Lira:Absolutely. In the insurance world, before I
Marcos Lira:transitioned to cybersecurity; before you can assign a policy
Marcos Lira:to an individual, you conduct what's called risk analysis. And
Marcos Lira:you look at all this data, you start assessing the risk
Marcos Lira:associated with issuing a policy to particular individual or a
Marcos Lira:business, what have you. And so, during this process, they look
Marcos Lira:at various risks. And it could be credit, it could be where the
Marcos Lira:location of the business might be located, where the location
Marcos Lira:of, you know, for automobile insurance, where the location of
Marcos Lira:the automobiles are located, how often someone is driving, right.
Marcos Lira:And what they're doing is they're analyzing threats. And
Marcos Lira:so with this experience, I started taking a look at the
Marcos Lira:data that Halo Security provides, which is the
Marcos Lira:organization I work with. And I started noticing that we provide
Marcos Lira:a lot of data, which with context, is really threat
Marcos Lira:intelligence. And so it was data around the attack surface. And
Marcos Lira:that's when I started connecting the two -- risk analysis, the
Marcos Lira:data that we provide from an attackers point of view, it's
Marcos Lira:really threat Modeling, and this data can be utilized for threat
Marcos Lira:modeling. So what is threat modeling at a high level, it's
Marcos Lira:really analyzing risk to your assets. And during the threat
Marcos Lira:modeling exercise, what you want to do is identify threats,
Marcos Lira:identify any current security controls, any gaps, and at the
Marcos Lira:end of the day, assess, what are we currently doing, and is it is
Marcos Lira:efficient to protect our assets. And the asset can be customer
Marcos Lira:data. It can be, you know, other variations, but that's what
Marcos Lira:we're looking for. And at the end, it's customer data, or it's
Marcos Lira:just data in general, right data is the oil. And this century,
Marcos Lira:the world is powered by data, and data has been accumulating
Marcos Lira:at a faster rate.
Dr. Dave Chatterjee:That was a great explanation. To reiterate,
Dr. Dave Chatterjee:when done well, threat Modeling helps organizations identify
Dr. Dave Chatterjee:where the risks are, the different sources of risks, and
Dr. Dave Chatterjee:the types of assets that are vulnerable to the different
Dr. Dave Chatterjee:forms of threats. Rigorous threat modeling will ensure that
Dr. Dave Chatterjee:organizations engage in comprehensive asset discovery.
Dr. Dave Chatterjee:The Cybersecurity and Infrastructure Security Agency
Dr. Dave Chatterjee:CISA recently issued a directive requiring federal enterprises,
Dr. Dave Chatterjee:the civilian executive branch, perform automated and
Dr. Dave Chatterjee:comprehensive asset discovery every seven days. The directive
Dr. Dave Chatterjee:also requires federal enterprises to initiate
Dr. Dave Chatterjee:vulnerability, enumeration across all discovered assets
Dr. Dave Chatterjee:every 14 days. So, threat modeling is such an intrinsic
Dr. Dave Chatterjee:part of information security governance, and it is so
Dr. Dave Chatterjee:important that it's done well. However, my research finds that
Dr. Dave Chatterjee:many organizations don't do it well. Some are pretty haphazard
Dr. Dave Chatterjee:or chaotic about it. Some want to just focus on a few
Dr. Dave Chatterjee:applications and are hasty about it. Your thoughts?
Marcos Lira:Dave, you know, you can't make informed decisions
Marcos Lira:about business without threat modeling. And so what that means
Marcos Lira:is it really starts from the top level from the executive level,
Marcos Lira:down. In order to create a culture of security, it has to
Marcos Lira:come from leadership. And so if you don't understand the data
Marcos Lira:flow of your systems, you can't make informed decisions. You
Marcos Lira:can't decide how best to defend and secure customer data. And so
Marcos Lira:what most organizations get wrong is that they believe
Marcos Lira:threat modeling is going to slow the business down. And so what
Marcos Lira:has happened is that we've dedicated more more of the
Marcos Lira:resources. And this is what's been communicated to me in my
Marcos Lira:weekly, daily conversations with, you know, CISOs, CTOs,
Marcos Lira:leadership personnel, that their resources are spent on reactive
Marcos Lira:approaches. Right, because that's easier, that's easier to
Marcos Lira:communicate to the business, it's easier to communicate to
Marcos Lira:the Board of Directors. While in case of a breach, we have this
Marcos Lira:in place. And it's either going to contain or it's going to
Marcos Lira:defend. But they're very slow in in implementing a proactive
Marcos Lira:approach, which will be less costly over time. And that's
Marcos Lira:where threat modeling comes into play. It's a proactive approach.
Marcos Lira:It's going to help you from a business perspective, from a
Marcos Lira:leadership perspective, it's going to help the organization
Marcos Lira:decrease costs over time. Because threat modeling is going
Marcos Lira:to tell you where your gaps are. Right? It's going to identify
Marcos Lira:those gaps, and it's going to help you better focus those
Marcos Lira:resources in protecting and securing those gaps. And so
Marcos Lira:that's what most or most people get wrong about threat modeling,
Marcos Lira:is, it's time consuming, it's cumbersome. There's, it's so
Marcos Lira:it's confusing, because there's so many methodologies out there.
Marcos Lira:There's PASAT, there is DREAD, there's the Microsoft STRIDE
Marcos Lira:model, right, spoofing, tampering, escalation of
Marcos Lira:privileges, right, all these different methodologies. And so
Marcos Lira:they just put their hands up and say, wow, this is too confusing,
Marcos Lira:I don't know where to start. And let's just be, you know,
Marcos Lira:reactive, let's just defend. And so I think that's where
Marcos Lira:organizations get wrong, is it you think it's, it's very
Marcos Lira:difficult to implement, when in fact, it is not. We threat model
Marcos Lira:all the time. Dr. Dave, you've threat modeled in your day to
Marcos Lira:day without even realizing I threat model my day to day
Marcos Lira:without realizing. The example I've give my clients is, I just
Marcos Lira:have I just had a newborn, right. She's actually one years
Marcos Lira:old now. But as soon as I brought my newborn, my newborn
Marcos Lira:home, the first thing I did was threat model. I started
Marcos Lira:identifying all the possible threats from the doctor's, from
Marcos Lira:from the hospital, to my home, right? I get into my car, what
Marcos Lira:are the possible threats, Oh, the other drivers out there. So
Marcos Lira:I got to drive defensively, got to make sure my car seats placed
Marcos Lira:correctly, my baby's secured tightly. Right. When it comes to
Marcos Lira:the home, I'm gonna make sure my windows have all the proper
Marcos Lira:locks in place. My doors have all the proper locks in place,
Marcos Lira:and they are working functionally. Right. So we're
Marcos Lira:always thinking of the possible threats to an asset. And that's
Marcos Lira:really what the way organizations view threat
Marcos Lira:modeling is, well, let's start with what are we trying to
Marcos Lira:protect? What is an what do we consider an asset to the
Marcos Lira:organization? And let's start from there. And let's start
Marcos Lira:identifying the possible threats. So if you think of it
Marcos Lira:from that perspective, it shouldn't be very difficult
Marcos Lira:task.
Dr. Dave Chatterjee:Absolutely. What a wonderful example, when
Dr. Dave Chatterjee:you talked about being a parent, and trying to proactively gauge
Dr. Dave Chatterjee:different types of threats to your little daughter, you
Dr. Dave Chatterjee:essentially conveyed how caring and protective you are. It
Dr. Dave Chatterjee:really boils down to truly care about securing the enterprise,
Dr. Dave Chatterjee:the various entities and the relevant assets. You talked
Dr. Dave Chatterjee:about the different approaches to threat modeling. It could be
Dr. Dave Chatterjee:attacker centric, it could be asset centric, and it could be
Dr. Dave Chatterjee:software centric. You also mentioned the different threat
Dr. Dave Chatterjee:modeling methodologies, such as STRIDE, PASTA and DREAD. So
Dr. Dave Chatterjee:there's a lot of guidance out there, but that can be
Dr. Dave Chatterjee:overwhelming. and create confusion regarding what is the
Dr. Dave Chatterjee:right way to do threat modeling? Can you provide some clarity?
Marcos Lira:I think the threat modeling manifesto said it best.
Marcos Lira:And I think the right way of doing threat modeling, it's
Marcos Lira:answering four questions. In this, this is applicable at
Marcos Lira:every layer within an organization. And at every
Marcos Lira:domain, whether it's accounting, whether it's development,
Marcos Lira:whether it's IT, whether it's business, finance, right, is
Marcos Lira:what are we currently working on? What can go wrong? What are
Marcos Lira:we going to do about it? And if we did a good enough job. I
Marcos Lira:think that is the best approach to threat modeling, is starting
Marcos Lira:with those four questions. And again, this is applicable to any
Marcos Lira:layer, at any phase, within an organization. It does not have
Marcos Lira:to be only applicable on the eyes of development. So let's,
Marcos Lira:let's think about threat modeling in this context. I like
Marcos Lira:to use a an example. Think of the Capital One breach that
Marcos Lira:happened 2019. And the Capital One breach happened, not within
Marcos Lira:the Capital One network that they have control over. It
Marcos Lira:happened in a cloud infrastructure, whether it was
Marcos Lira:shared responsibility. And it happened because of insider
Marcos Lira:threats at the third party, which was the cloud
Marcos Lira:infrastructure. And so a lot of the times organizations think,
Marcos Lira:well, what are we doing? What are we working on? Well, working
Marcos Lira:on, you know, providing information to our customers
Marcos Lira:much faster. Okay, so we're going to transfer the
Marcos Lira:infrastructure of that compute power and the data storage and
Marcos Lira:what have you to in this case, it was AWS. Right? What can go
Marcos Lira:wrong? Well, what what's going on in the industry, and what's
Marcos Lira:happened in my conversation. And I assume what happened with
Marcos Lira:Capital One is that we're transferring risk, right? And
Marcos Lira:the thing is, we're not transferring all the risks,
Marcos Lira:we're transferring some of the risks. And that's why GCP,
Marcos Lira:Google Cloud, platform, AWS, and Azure all have a part of their
Marcos Lira:policy, part of their T's (terms) and C's (conditions) is
Marcos Lira:shared responsibility. Terms and Conditions. Right. And so what
Marcos Lira:happened with Capital One, with threat modeling could have come
Marcos Lira:into play, and it could have solved a issue that was
Marcos Lira:identified was encryption. Right? If Capital One had
Marcos Lira:encrypted the data, not just in transit, but also at rest, Yes.
Marcos Lira:Also at rest, right, if Capital One would have encrypted the
Marcos Lira:data, not just in transit, but also at rest, then it would have
Marcos Lira:been more difficult for the insider threat to create any
Marcos Lira:value from that data, right? It would have been useless. And so
Marcos Lira:that's where you can threat model against third parties. As
Marcos Lira:we stated earlier, there's there's many methodologies and
Marcos Lira:each methodology as their own methods of approaching threat
Marcos Lira:modeling, there are various steps. And the threat modeling
Marcos Lira:manifesto is, which is what I recommend to our clients. And
Marcos Lira:our process has been started thinking about implemented
Marcos Lira:threat modeling, is this simplified? Because you really
Marcos Lira:only need to answer four questions. Right? And so that
Marcos Lira:is, what are we working on? What can go wrong? What are we going
Marcos Lira:to do about it? And did we do a good enough job? In an example,
Marcos Lira:one of the authors of the manifesto, Adam Shustack, likes
Marcos Lira:to say, and I think it's a great example. So I'll utilize it here
Marcos Lira:is, imagine that you have an errand to run. And your phone is
Marcos Lira:at 20% as far as you know, targeting and charge the 20% and
Marcos Lira:it's going with battery life. And you have to run this errand,
Marcos Lira:you have an update, it's a critical update that you have to
Marcos Lira:run. And so you have, right what are we working on? Well, you
Marcos Lira:have this errand that you have to run. So you have to leave her
Marcos Lira:house. Okay. But you have to make the decision. And here's
Marcos Lira:the threat model comes in, is, do I leave my phone at home?
Marcos Lira:Charging done with the security update? Or do I take the phone
Marcos Lira:with me? Because, you know, an accident might happen, I might
Marcos Lira:need to fund for emergency reasons. That's a decision you
Marcos Lira:have to make. Right? So that's the, what can go wrong? What are
Marcos Lira:we going to do about it? Well, you have to make that decision,
Marcos Lira:right? Leave the phone here, I can take it with me. And the
Marcos Lira:last thing is, do we do a good enough job. So in this example,
Marcos Lira:the individual took the phone with him and said, Well, I'm
Marcos Lira:gonna use, I'm gonna take the phone with me in case of an
Marcos Lira:emergency, where I'm gonna wait to update the phone with the
Marcos Lira:security update until I get home. What's at risk, is that
Marcos Lira:maybe their data is exploited, that maybe, you know, some type
Marcos Lira:of attack can happen that because they're vulnerable, they
Marcos Lira:don't have the security updates. So they're vulnerable at the
Marcos Lira:moment. But that's the risk they decided to accept. Right? And so
Marcos Lira:did a good enough job. Well, at the end of the night, they were
Marcos Lira:able to update their phone. It wasn't compromised. And they
Marcos Lira:were they're good to go. So yes, they did a good enough job. And
Marcos Lira:so in short, threat modeling is, again, in that example, as as
Marcos Lira:far as it's just kind of simplifying it with, what are we
Marcos Lira:working on? What can go wrong? What are we going to do about
Marcos Lira:it, and did we do a good enough job is address the risk. And now
Marcos Lira:they had to answer whether they wanted to transfer that risk,
Marcos Lira:accept that risk, or the mitigating that risk or avoid
Marcos Lira:the risk which they can. So
Dr. Dave Chatterjee:Totally agree. Switching gears a little
Dr. Dave Chatterjee:bit, it's great to know that now, there are tools and
Dr. Dave Chatterjee:platforms available that facilitate collaboration, and
Dr. Dave Chatterjee:are very intuitive and easy to use. They help pull together
Dr. Dave Chatterjee:information from different places to one place quickly.
Dr. Dave Chatterjee:There are opportunities to customize. And last but not the
Dr. Dave Chatterjee:least, the reporting capabilities have improved
Dr. Dave Chatterjee:significantly. As a practitioner, what are your
Dr. Dave Chatterjee:thoughts about the future of threat modeling?
Marcos Lira:The future threat modeling, it's going to be it's
Marcos Lira:going to be more accepted conceptually. Right, because
Marcos Lira:again, we don't want to get bogged down by the the
Marcos Lira:intricacies of threat modeling. Because as organizations have
Marcos Lira:stated, It's too cumbersome. So it will be integrated within the
Marcos Lira:business as a concept in the way we do security, right? Think of
Marcos Lira:DevOps, right? The big push was security. And so you get
Marcos Lira:DevSecOps, right, is you want to code with security in mind. And
Marcos Lira:so that's the future threat modeling, is you want to build,
Marcos Lira:you want to move around your organization, with security in
Marcos Lira:mind. And that's where threat modeling is going to come into
Marcos Lira:play. It's going to be embedded within the culture of every
Marcos Lira:business and organization. As we get more comfortable with the
Marcos Lira:concept of threat modeling, which is really identifying
Marcos Lira:threats to an asset and understanding what are we
Marcos Lira:currently doing about it. It can be as simple as doing threat
Marcos Lira:modeling on a whiteboard, it doesn't have to be difficult.
Marcos Lira:And again, it can be implemented at every layer of the
Marcos Lira:organization.
Dr. Dave Chatterjee:Very true, very true. So we are kind of
Dr. Dave Chatterjee:coming to towards the end of our discussion. So I want to make
Dr. Dave Chatterjee:sure that we've covered all the important aspects, and I believe
Dr. Dave Chatterjee:we have, but for the benefit of the listener listeners, I'll go
Dr. Dave Chatterjee:through a few items that I have listed here. First and foremost,
Dr. Dave Chatterjee:we talked about how important threat modeling is. And I love
Dr. Dave Chatterjee:the way you put it, that threat modeling should be should not be
Dr. Dave Chatterjee:made into a cumbersome, you know, technically complex
Dr. Dave Chatterjee:process, it must be approached conceptually, it must be
Dr. Dave Chatterjee:approached simply, asking fundamental reflective questions
Dr. Dave Chatterjee:as to, it reminds me of an approach that an organization
Dr. Dave Chatterjee:used for many, many years, a major organization, they would
Dr. Dave Chatterjee:call it destroy your business approach DYB. And the CEO would
Dr. Dave Chatterjee:require the senior leadership during that quarterly meetings,
Dr. Dave Chatterjee:to make a presentation, where each product unit head had to
Dr. Dave Chatterjee:share scenarios that would kill that product line. And then they
Dr. Dave Chatterjee:would also have to present their action plans on how to
Dr. Dave Chatterjee:proactively avoid those situations. Now, this example
Dr. Dave Chatterjee:that I shared, this best practice that I shared, was in
Dr. Dave Chatterjee:the context of any business, it wasn't particularly focused on
Dr. Dave Chatterjee:cybersecurity. But the underlying principle is so
Dr. Dave Chatterjee:applicable that you have to be able to constantly do this
Dr. Dave Chatterjee:threat analysis, threat scenario analysis, and use that analysis
Dr. Dave Chatterjee:to identify areas for improvement areas for
Dr. Dave Chatterjee:weaknesses. And then, wherever appropriate, bring in the
Dr. Dave Chatterjee:relevant tools, often it's a combination of tools, processes
Dr. Dave Chatterjee:and people. Another thing that you you mentioned, which is so
Dr. Dave Chatterjee:important, that threat modeling should never be undertaken in a
Dr. Dave Chatterjee:siloed manner. It should start, if you look at the software
Dr. Dave Chatterjee:development lifecycle, it should be embedded in the lifecycle
Dr. Dave Chatterjee:through all the phases, starting with the design, I love the way
Dr. Dave Chatterjee:you explained DevOps security, that security by design,
Dr. Dave Chatterjee:security, should be built into the design and development of a
Dr. Dave Chatterjee:system by default. And that's when an organization has started
Dr. Dave Chatterjee:to really institutionalize threat modeling. You know,
Dr. Dave Chatterjee:that's, that's where we need to we need to go. The good news is
Dr. Dave Chatterjee:that many of the threat modeling tools that are available today
Dr. Dave Chatterjee:are open source. And they provide amazing capabilities.
Dr. Dave Chatterjee:For instance, one is able to gather threat intelligence from
Dr. Dave Chatterjee:the different threat libraries. They offer dashboards, that
Dr. Dave Chatterjee:shows data from threat intelligence and offer
Dr. Dave Chatterjee:mitigation options. They can be they can be scaled up to meet
Dr. Dave Chatterjee:business needs. They integrate very well with the business
Dr. Dave Chatterjee:infrastructure. And last but not least, they offer very robust
Dr. Dave Chatterjee:reporting capabilities. I would never recommend a particular
Dr. Dave Chatterjee:platform over the other. That is never the intent of this
Dr. Dave Chatterjee:episode. In fact, that undermines the credibility of
Dr. Dave Chatterjee:this episode. But what I always like to do is in collaboration
Dr. Dave Chatterjee:with my subject matter expert guest, today, we have Marcos,
Dr. Dave Chatterjee:I'd like to offer guidance to organizations when they're
Dr. Dave Chatterjee:trying to make this call. And that guidance is especially
Dr. Dave Chatterjee:relevant because while you can hire third party expertise for
Dr. Dave Chatterjee:threat modeling, but considering how intrinsic how centric threat
Dr. Dave Chatterjee:modeling is to overall security governance, it is imperative
Dr. Dave Chatterjee:that an organization develops in-house competency in-house
Dr. Dave Chatterjee:capability, as opposed to oh, this is something we don't want
Dr. Dave Chatterjee:to deal with. Let's get an outside vendor do it for us.
Dr. Dave Chatterjee:That doesn't serve the purpose. And so I would strongly urge
Dr. Dave Chatterjee:organizations to make that investment in people, in
Dr. Dave Chatterjee:process, in technology, to develop threat modeling skills,
Dr. Dave Chatterjee:capabilities in-house. But having said that, I'll pass it
Dr. Dave Chatterjee:over to Marcos. Marcus, please share your final thoughts and
Dr. Dave Chatterjee:help us wrap up the episode for today.
Marcos Lira:Yes, Threat Modeling is you know, it is a
Marcos Lira:concept. It's a process. It's applicable to every layer, every
Marcos Lira:domain of an organization. It should not be relied on, purely
Marcos Lira:on automation, purely on a software tool, it has a manual
Marcos Lira:component to it, you gotta you know, in order to think of all
Marcos Lira:the possible threats out there, you know, you got to take an
Marcos Lira:attackers perspective. The next point I wanted to make is threat
Marcos Lira:modeling for assets that you know of, it's easier. But for an
Marcos Lira:organization, you got to think about the assets that you have
Marcos Lira:forgotten, that have been misconfigured over time, that
Marcos Lira:have been poorly managed over time. And I think it's more
Marcos Lira:important now than ever to threat model against those
Marcos Lira:assets. And in order to really have an understanding of the
Marcos Lira:attack surface, you do need a attack surface management tool.
Marcos Lira:And the first part of the attack surface management tool, or the
Marcos Lira:foundational layer of that is discovery. And that's where
Marcos Lira:reconnaissance comes into play. Right? Reconnaissance is the
Marcos Lira:first step of the cyber kill chain, we think of from an
Marcos Lira:attackers point of view. You think of NIST, it's identify,
Marcos Lira:right, you have to identify what's on your attack surface.
Marcos Lira:That's the only way that you can defend against those assets. And
Marcos Lira:so threat modeling, the very first step is reconnaissance is
Marcos Lira:discovery. It's identify all the assets on the attack surface,
Marcos Lira:and then model against those assets. Right, well, possible
Marcos Lira:threats. And maybe you avoid the threat. And by avoiding the
Marcos Lira:threat, I mean, you take down the asset, and the asset does
Marcos Lira:not serve a purpose, it does not need to be on the attack
Marcos Lira:surface. So you take that asset down. Right? That is one of the
Marcos Lira:best approaches, is reducing the attack surface, this is gonna
Marcos Lira:make a lot, this is gonna make threat modeling much easier.
Marcos Lira:When you start thinking of data flows, the world is now powered
Marcos Lira:by API's. And we're moving from a culture of everything's
Marcos Lira:housed, everything is the infrastructure is in-house to
Marcos Lira:everything is as-a- service, software as a service,
Marcos Lira:infrastructure as a service, when you got to start thinking
Marcos Lira:of the possible threats along those connections, because now
Marcos Lira:we're connecting to what we call trust boundaries. Right, my data
Marcos Lira:that comes in from a source that I have full control over, maybe
Marcos Lira:will utilize a CRM for Salesforce. And so now I have a
Marcos Lira:third party that's providing me software as a service. And we're
Marcos Lira:transferring our customer data to that CRM. Well, that's PII
Marcos Lira:that's hosted at a third party. So now I got a threat model
Marcos Lira:against that third party. And so threat modeling, it's not just
Marcos Lira:for your organization, it should really be expanded to all the
Marcos Lira:trusted boundaries you have along your network. And so, yes,
Marcos Lira:I would. So my takeaways are, again, you know, utilize a an
Marcos Lira:attack surface management solution to identify all the
Marcos Lira:assets on the attack surface. Second, reduce or in this case,
Marcos Lira:avoid risk by reducing the attack surface. And then lastly,
Marcos Lira:apply threat modeling, to the assets that remain on the attack
Marcos Lira:surface, this process will become much easier, you will be
Marcos Lira:able to identify your gaps much faster, identify weaknesses,
Marcos Lira:identify vulnerabilities. It's all going to be much faster once
Marcos Lira:you have an understanding of what's out there, what are the
Marcos Lira:attackers seeing from their perspective?
Dr. Dave Chatterjee:Fantastic. Well, I really appreciate your
Dr. Dave Chatterjee:time Marcos. It's been a pleasure having you on this
Dr. Dave Chatterjee:episode, and I look forward to many more interesting
Dr. Dave Chatterjee:conversations. And I know listeners greatly appreciated
Dr. Dave Chatterjee:your insights. Thank you again. A special thanks to Marcos Lira
Dr. Dave Chatterjee:for his time and insights. If you like what you heard, please
Dr. Dave Chatterjee:leave the podcast a rating and share it with your network.
Dr. Dave Chatterjee:Also, subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization