Threat Modelling: Understanding the Business Impact of a Successful Attack
The overwhelming number of potential threats to your organization from cyber criminals, hackers and insider actors, is a challenge for even for the most experienced IT Security Professionals. Monitoring the threat landscape is becoming unmanageable, sapping budgets and using up resources on threats that may never materialize.
However, we know that these threats are very real, if not inevitable, and successful attacks are expensive, disruptive and damaging for brand reputation and the bottom line.
How can we identify the type of threats our organizations are most at risk of? How can we focus our limited resources on protecting our organizations from the known, the unknown and emerging threats? How can we direct our cyber security budgets at the threats that will cause the most damage to our organizations? How do we know whether recent breach incidents such as Petya and WannaCry, pose a real threat to our businesses, or not?
This is where threat modelling provides a solution. Threat modelling is a highly personalized and targeted approach to managing Cyber Risk that assesses the threat landscape as it applies to an individual organization. By identifying the threats that the organization is at most risk of, and prioritizing threats based on the impact they will have on that organization, resources can be targeted at the highest priority threats – making better use of limited budgets and resources.
Our Approach to Threat Modelling
Burning Tree have teamed up with Fidelis CyberSecurity to offer a threat modelling service that enables organizations to make intelligent decisions about how to protect themselves from cyber threats.
Our approach follows these five steps:
1: Understand the landscape
The first step is to assess the threat landscape as it applies to your organization. What known, unknown and future threats is your organization at most risk of? We explore potential threats based on factors such as your industry, organizational structure, IT infrastructure and systems, high-value targets, business activities, potential threat actors etc.
2: Threat analysis and ranking
Next we look at the consequences of potential threats and the impact on your organization. What is the impact of successful threats and the resulting risk to the business? We create a key stakeholder report that provides a depth of understanding of the global threat landscape for your organization, and rank those threats according to the impact on your business operations.
3: Controls effectiveness
We also assess and document the controls your organization has in place: highlighting entry points to systems and infrastructure and assessing how effective controls are in relation to the threats identified and the impact on the business.
4: Residual risk
What threats still remain after controls have been put in place? We explore whether any residual risk can be reduced further, avoided altogether, offset or accepted. To do this we identify relevant governance, risk and compliance (GRC) requirements, assess the strengths and weaknesses of the organization’s controls, understand your risk appetite, and identify ways to offset unacceptable residual risks.
5: Mitigation actions
The final stage of threat modelling is to make recommendations to protect the organization from the highest priority threats. This includes recommending threat preparedness technology and architecture, as well as cyber security strategies and processes that can be implemented at very low or no cost at all.