Threat Modeling, as we are all aware, is identifying the threats in an organization and applying measures to mitigate them. This greatly reduces breaches within an organization. From the OWASP foundation, “Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value”
There are a number of threat modeling tools that are available to serve this purpose. There are open-source threat modelings tools such as ThreatDragon, Trike, and PASTA, and there are automated threat modeling tools which include the Microsoft Threat Modeling tool, IriusRisk, and ThreatModeler.
We will see an example of ‘Threat Modeling in Practice’ and how ABN Amro has adopted the IriusRisk automated Threat Modeling tool in this post:
ABN Amro is a bank whose history dates back 300 years. After several acquisitions, mergers, and split-ups, the current version of the bank started in 2010 after it merged with Fortis Bank Nederland. It is currently the third leading bank with its headquarters in Amsterdam. It has about 32,000 employees, most of whom are based out of the Netherlands.
ABN Amro decided to embark on a major digital transformation program and named it ‘Project Apollo’. They wanted to move their data from private data centers to the cloud, which was expected to affect 500+ teams across the organization. Threat modeling was at the core of the digital transformation. ABN Amro approached IriusRisk(an automated threat modeling methodology) as part of this major digital initiative.
Also Read about Threat Modeling Methodologies
The IriusRisk threat modeling tool implements four questions pertaining to threat modeling:
- What are we building?
- What can go wrong?
- What are we going to do about it?
- Did we do a good job?
Threat modeling itself was not new to ABN Amro. It had earlier learned the importance of the threat modeling approach and had already implemented the STRIDE threat modeling approach within the SDLC but it was done manually. They also knew the importance of the “shift left” principle. ABN Amro termed the “shift left” approach as “shift security left”.
It had taken almost a year to implement the manual threat modeling approach. They were doing their diagrams via draw.io, making use of spreadsheets, and uploading the same to different platforms. The manual threat modeling approach was highly dependent on security teams and when the thought of the digital transformation kicked in, the DevOps team had to be involved as well.\
The drawback of the manual threat modeling approach was that it was not done as efficiently. Since the major digital transformation was scheduled, different teams from IriusRisk, which included the teams from DevOps, Security, Senior Management, and Customer Success, joined the team from ABN Amro. The security requirements were now centralized by means of using IriusRisk.
These were a few of the positive changes that were observed after implementing the IriusRisk Threat Modeling approach:
- Threat modeling was a mandatory requirement for development(it was no longer an ad-hoc activity as was done earlier)
- With IriusRisk, a threat model was created in 4.5 hours down from 8.5 hours(when using the manual threat modeling approach)
- The security requirements now became centralized
- The threat modeling activity was no longer a complicated activity. It was more configurable and reports were auto-generated.
- With IriusRisk, 100 teams took 7 months for threat modeling down from 1.5 years(when done manually)
- The number of teams doing threat modeling increased to 200(up from 100 teams when doing the manual approach)
We have seen the successful adoption of the IriusRisk threat modeling approach with ABN Amro as a practical example of the ‘Threat Model in practice’.
Do enroll in our ‘Certified Threat Modeling Professional’(CTMP) course which focuses on giving you practical skills in Threat Modeling.