Welcome back to a new installment in the “How to be a Better Threat Modeler” series.
We are in the middle of our path to get a better understanding of the required skills for analyzing efficiently and effectively the security of the design of any solution thrown at us by using the Threat Modeling approach.
During the previous article, we have introduced sources to get the required technical knowledge of Threats and Mitigations, which represents the first skill of the three we have identified, as necessary to Threat Modelers. With this new article, we want to further expand our skillset by getting acquainted with the holistic approach.
There are various ideas developed around the need for a holistic approach to Security. It is not a new idea: references on the Internet date back to 20 years ago and beyond. For example, you can find a study published in early 2013 by Issa Atoum, Ahmed Ali Otoom and Amer Abu Ali, titled “A holistic cyber security implementation framework“. Even Microsoft has had a saying on this topic, with a document published in 2017 entitled Holistic Security Strategy.
Traditional security models have focused on layered perimeter defenses and building “better walls.” The world has changed. Today, organizations need to have an always-on and multifaceted approach to security that constantly protects all endpoints, detects the early signs of a breach, and responds before that threat can cause damage. […] The challenge is to make security measures more effective against a backdrop of staffing shortages and an ever-expanding attack footprint of users, devices, applications, data, and infrastructure. Today’s CISOs have evolved their approaches and their aims from safeguarding assets to building agile security frameworks that enable digital transformation. These strategies are holistic in that they embed the latest technologies into enduring processes and training programs.Microsoft, 7 steps to a holistic security strategy
So, we have determined that “Holistic cybersecurity” is something that has been powerful enough to inspire both Academic studies and big Companies, like Microsoft. But does it have any real practical value, or is it just another trendy term like many others?
Of course, this is a rhetorical question, or I would not have written an article about this topic. Accordingly with my experience, this concept is essential for ensuring that security provides complete coverage of all potential risks. If you think about it, there are various consequences to the application of the holistic approach.
First of all, many tools for Threat Modeling analyze the system in scope, focusing on each one of its components separately. This is an evident violation of the holistic approach and misses many issues associated with the solution as a whole. I consider this a severe problem because it diverts the attention from what matters the most, while it gives the false impression of having done everything right. Most of the times, it also makes Threat Modeling a very dull and repetitive task, and kills every good intention at the very start. All that, without providing any meaningful value. But you already know that, because I introduced you to my thoughts some months ago.
Another consequence of the holistic approach is the fact that for many organizations, Security seems mostly an Infrastructural concern. As a result, aspects like the architecture or the code tend to be left out. Again, we have a violation of the Holistic approach. Mind you, it would be equally wrong to focus only on the architecture or only on the code. What is required is to cover them and then the solution as a whole.
If you consider the holistic approach together with the Weakest Link of the Chain security principle, you can see how difficult it is to get security right. In fact, you have to cover everything – the details as the overall picture – and still, someone could compromise your system by attacking some weaknesses you have left behind. The net result is that you must assume that someone will ultimately succeed in compromising your solution. You cannot do anything to prevent that: you simply have to accept this as a matter of life. What we are talking about is the famous Assume Breach principle. This consideration does not mean that you cannot do anything to make life hard for attackers: I agree with Roger A. Grimes when he writes that you can do a lot to mitigate the risk, but it’s not true that you can completely remove it. Thus, the right approach is to do your due diligence – as Roger writes in his article – and then plan for the worst.
We are at the end of our article. At this point, I have to give you practical ideas to help you get better at the essential skill discussed here. This time, it is a little more complicated, because there are not readily available books or other references, besides what I have already listed above.
But I can give you a couple of final recommendations. The first one of them is to understand where your skills are and then invest in covering your weaknesses. Are you an expert Security practician, with strong infrastructural skills, but you are scared when someone starts to talk about application security? Start studying Application Security and – why not – work toward getting a specific certification like (ISC)2 CSSLP. Never be scared again by topics outside your comfort zone: welcome them as opportunities to grow.
Another recommendation is to exercise your holistic mindset by continuously asking yourself what you are missing. Have you covered the infrastructure? What about the architecture and the code? Are you missing anything else? Hint: the infrastructure is not only about the provided services, but also about how they are operated.
And then, when you are happy with everything, and you are sure you covered every item separately, start considering them all together. For example, Monitoring is a relatively easy task when you are considering Infrastructure and Operation. For developers, Monitoring has little or no security implications, because it is mostly around troubleshooting and performance, but still, it is something that they know about. When you put all those concepts together, something exceptional happens: you get an integrated approach to Monitoring, focused on getting a holistic view about the security of the solution, achieved by using both the infrastructure and the code as sources for events. Now, you are not blind anymore: you can understand what happens to your solution.
Thank you again for reading so far. I hope it has been a useful read.
Enjoy Threat Modeling and stay safe!