Security Research
Showing results for 
Search instead for 
Do you mean 

HP Security Briefing, episode 13 – The art and near-science of threat modeling

Angela_Gunn ‎05-30-2014 11:28 AM - edited ‎05-30-2014 11:37 AM

In this month’s Security Briefing, we discuss the history of, and current trends in, threat modeling, with an emphasis on approaches to introducing threat-modeling processes to the reader’s enterprise. You can listen to this episode of the HP Security Briefing podcast on the Web or via iTunes, and you can read or download the detailed companion report here.

 

Many enterprises would say it’s all anyone can do to combat attacks on software, networks, and other assets as they’re discovered. Effective security strategy, however, entails getting out in front of attacks as much as possible. That process, whether it’s applied to software development, network management, or any number of other tech-related processes in the enterprise, is called threat modeling.

 

Approaches to threat modeling can be divided into three essential types: software-centric, asset-centric, and attacker-centric. They’re derived not only from years of thinking (and a number of high-profile mishaps) in the tech industry, but from decades of sociological studies and centuries of military theory.

 

At its base, threat modeling is yet another permutation of risk management, the soul of information security. Threat modeling asks that we assign value to our assets, examine them closely for potential vulnerabilities, assess what risks those vulnerabilities pose to our enterprise, and plan to mitigate them (or not). Threat modeling is not auditing -- though auditing can be useful as we determine which assets or controls merit the modeling effort – but a way of learning from the past to manage future risk. 

 

In this month’s briefing, we give an overview of the threat-modeling landscape – what it affects, how it got this way, what the current notable conditions are, and how to introduce the pertinent concepts to your organization. Along the way we’ll learn which branch of the US Armed Forces – and which former SEAL Team commander – has the best guidance for threat modelers; start to STRIDE and to view security with DREAD; enjoy some PASTA; and play a few card games. We’ll take operations-management advice from rock gods and we’ll set ground rules for pre-empting threats before they can harm your enterprise.

 

(We’ll also explain our name change. This HP Security Briefing continues the series previous known as the HP Security Research Threat Intelligence Briefing and is thirteenth in that line. The archive for this and all previous Briefings can be found and bookmarked here.)

0 Kudos
About the Author

Angela_Gunn

Labels
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference on August 29 - September 1, 2016 to learn from peers in every industry and hear from Big Data experts and thought lea...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference on September 13 - 16, 2016, and is the place to meet the world’s top information security talent, discuss new pr...
Read more
View all