How to Use Your Threat Model as a Guidepost for Security
The threats you face are unique to your company's size, industry, customer base, and many other factors. So your approach to protecting your organization's digital data should be unique, too.
In this post, we’ll cover a framework to develop an effective threat model that will fits your organization's unique needs.
The Factors that Determine Your Unique Threat Model
There are many factors that can determine your threat model. And while this will vary from company to company, we've identified three that typically determine what your threat model looks like. Each will help to shape what you should be focused on, helping you to sort out the hype from the reality as you formulate and manage your security strategy.
The industry your business operates in will dictate what you need to do from a security standpoint. Some industries are more regulated than others. Some have different types of data at their disposal, and as a result, this can affect how attackers go after them.
Financial companies, for example, are big targets because attackers stand to make a lot of money if you don’t have the right protections in place. Healthcare and eCommerce companies are two other big targets for attacks, as companies in these industries process and store sensitive data that can be held for ransom or used to exploit a business. Take a look at the common threats in your industry to begin to develop your threat model.
Compliance and Regulations
The type of organization you run will also dictate what kinds of compliance and regulatory requirements you’re expected to uphold. If you’re a healthcare company, for example, you’re beholden to HIPAA, and if you process credit card data, you’re required to meet PCI-DSS standards. Depending on what type of data you process and what types of customers you have, other frameworks like ISO 27001, SOC 1, SOC 2, and FedRamp, may come into play as well.
Be sure you’re up-to-date with the compliance requirements of your particular industry so that you know what you’re expected to do. Compliance and security requirements can also overlap, such as in the case of monitoring and user access policies. So by following compliance guidelines, you may be able to meet a broad range of security best practices. But remember, compliance alone is not security, and you should be investing in security measures outside of compliance requirements.
Above and beyond what you do from a compliance and security best practices standpoint, your customer base may require additional protections. Especially if you’re storing sensitive information — like PHI or PII — customers will need to know without a doubt that systems and applications are locked down to protect from malicious inside and outside actors.
Implementing protections to satisfy customer requirements means having a deep understanding of their expectations, anticipating common questions that come up during the sales cycle, and getting management buy-in early on to provide adequate protections.
Taking an Inside-Out Approach to Security
Rather than looking outward at the latest attacks—ones that may actually have nothing to do with your business—you should look at what threats your unique organization is most likely to encounter, and focus your efforts on those.
Malware, for example, is a huge problem today affecting businesses of all shapes and sizes. Realizing that your threat may be as common and routine as malware (rather than as extreme and unusual as a zero-day attack perpetrated by a nation state) can completely shift your security focus.
Then it becomes a matter of focusing more on employee education and leveraging malware protection tools, and less on buying the latest and greatest vulnerability management and threat intelligence tools. With a focus on your real threats, you can greatly reduce the chances of a common and routine (yet very damaging) threat getting in and doing damage.
Here are a few questions you can ask yourself as you assess your threat model:
- What threats are the team responding to on a regular basis?
- What is the log data telling you?
- What data is most sensitive to the business and customers ?
- What could you be doing to better protect it?
- What systems store and process the most sensitive data?
- What should you be doing to better lock them down from malicious actors?
Using this framework, you can shift your focus away from the shiny news headlines and instead focus on your most likely and common threats.
Designing Controls Around Your Risks
Using your threat model as a guidepost, you can get a very clear picture of the risks your unique business faces and begin designing controls around those.
Once you have identified the risks to your business, consider the following:
- What are we doing today (if anything) to protect against these?
- What can we implement today (processes, tools, etc.) to boost protection in these areas?
- What other departments need to have input on threats facing the business?
- Who on the team needs to be involved in implementing better controls, processes, and technologies to meet these needs?
- How can we better design employee education and policies to enforce these protections?
Then, with your bases covered and protections in place, you can look to beef up security in other areas — whether that be implementing threat intelligence, buying a vulnerability management tool, or thinking about other national or international threats.
With more awareness focused inward, your business can become more intelligent about designing a threat model to address your most pressing needs, better optimizing your resources and budget for the threats that matter most.
And once your have a threat model fleshed out, you can start making investments in your people, processes, and technology to meet the protection needs of your organization.
Cybersecurity Starter Bundle
About Jen Andre
Jen is the founder and CEO of Komand. Before Komand, she co-founded Threat Stack, a leading innovative cloud security monitoring company based out of Boston. She has spent a career in security working at companies Mandiant and Symantec and has a background in engineering and security operations.