HP Security Briefing, episode 13 – The art and near-science of threat modeling

In this month’s Security Briefing, we discuss the history of, and current trends in, threat modeling, with an emphasis on approaches to introducing threat-modeling processes to the reader’s enterprise. You can listen to this episode of the HP Security Briefing podcast on the Web or via iTunes, and you can read or download the detailed companion report here.

 

Many enterprises would say it’s all anyone can do to combat attacks on software, networks, and other assets as they’re discovered. Effective security strategy, however, entails getting out in front of attacks as much as possible. That process, whether it’s applied to software development, network management, or any number of other tech-related processes in the enterprise, is called threat modeling.

 

Approaches to threat modeling can be divided into three essential types: software-centric, asset-centric, and attacker-centric. They’re derived not only from years of thinking (and a number of high-profile mishaps) in the tech industry, but from decades of sociological studies and centuries of military theory.

 

At its base, threat modeling is yet another permutation of risk management, the soul of information security. Threat modeling asks that we assign value to our assets, examine them closely for potential vulnerabilities, assess what risks those vulnerabilities pose to our enterprise, and plan to mitigate them (or not). Threat modeling is not auditing -- though auditing can be useful as we determine which assets or controls merit the modeling effort – but a way of learning from the past to manage future risk. 

 

In this month’s briefing, we give an overview of the threat-modeling landscape – what it affects, how it got this way, what the current notable conditions are, and how to introduce the pertinent concepts to your organization. Along the way we’ll learn which branch of the US Armed Forces – and which former SEAL Team commander – has the best guidance for threat modelers; start to STRIDE and to view security with DREAD; enjoy some PASTA; and play a few card games. We’ll take operations-management advice from rock gods and we’ll set ground rules for pre-empting threats before they can harm your enterprise.

 

(We’ll also explain our name change. This HP Security Briefing continues the series previous known as the HP Security Research Threat Intelligence Briefing and is thirteenth in that line. The archive for this and all previous Briefings can be found and bookmarked here.)

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.