Our guide to introducing threat modeling to an enterprise environment

Our guide to introducing threat modeling to an enterprise environment

“The Battle for New York: A Case Study of Applied Digital Threat Modeling at the Enterprise Level,” revealed that threat modelling (in this case, the CoG framework) was adept at developing actionable defence plans for the NYC3 enterprise.

Their evidence suggests that even a relatively limited amount of focused threat modelling performed by internal IT personnel lacking threat-modelling experience can swiftly deliver helpful improvements. All participants in the study devised 147 unique mitigation strategies for threats to their organisation, which would be iterated upon to ensure future developments.

A series of tests were completed during the 27th USENIX Security Symposium USENIX Association. These included participant-designed ADPs whose focus was to block account hijackings of five privileged user accounts. Further incidents involved blocking 541 unique intrusion attempts and discovering and solving three vulnerabilities with public-facing web servers.

Photo by Reuben Hustler on Unsplash

Cybersecurity guidelines drive increased shared knowledge


These practices confirmed that rapid threat modelling applications allowed NYC3 to become more secure. An important observation was around the delivery of multifactor authentication, a non-complex yet critical part of the security process. These processes ensure that certain measures were not already in place despite the federal, state and local compliance standards and “best practices.” Threat modelling allowed NYC3 to implement these security protocols, mitigate security risks and identify potentially dangerous gaps in their systems.

Beyond these primary measures, at a broader level, many organisations are making sizeable investments in cybersecurity tools, capabilities and refinement of existing infrastructures, which often need updating. The development of effective, progressive threat modelling proceedings shows demonstrable results via training without hiring extra personnel. In short, there isn’t any substitute for hands-on training and development.

Photo by Bruno Abatti on Unsplash

Get buy-in from senior management to deliver threat modelling results

To build out any organisational structure, organisational programmes must be devised to facilitate the adoption of threat modelling, including peer-to-peer partnerships and training of new hires. Central to this is communicating with a shared language to senior management and core stakeholders. In addition, a single and unifying threat modelling framework must be delivered across administrative boundaries. This will ensure a shared language within the organisation for communicating about threats.