A magnifying glass with a yellow triangle on it.
BlogSecurity
June 22, 2023

Our approach to threat modeling

Written by
Jess Chang
Senior Technical Program Manager, Security & Enterprise Engineering
Rob Picard
Security Lead
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

In this series, you’ll hear directly from Vanta’s Security, Enterprise Engineering, and Privacy, Risk, & Compliance Teams to learn about the team’s approach to keeping Vanta — and most importantly, our customers — secure.

The following post comes from our Security Team and explains our approach to threat modeling.

What is threat modeling?

Threat modeling is the process of identifying and understanding the potential threats and risks that can impact a given business, system, network, or feature. 

The goal of threat modeling is to make better decisions. We do this by building a better mental model of the world, keeping things in mind such as potential attacker’s profiles, motivation, goals, and likely attack vectors. Many of us model threats every day—when making decisions such as choosing to buckle your seatbelt, looking both ways before you cross the street, and more.

How does Vanta approach threat modeling?

At Vanta, we use threat modeling as a tool to help share knowledge and improve our mental model of Vanta as a company, and of the environment in which we operate. These exercises are most frequently run (though not always) by the Security team, and are held on recurring cadences and on an as-needed basis. 

We don’t maintain a canonical “threat model” at any given point in time. Instead, we view the exercise itself as the primary mechanism through which we benefit. This is because the discussion that arises during a threat modeling exercise is what improves our mental model and enables us to make better decisions.

In other words: “Threat models are useless. Threat modeling is essential.”

When does the Vanta security team threat model?

We view threat modeling as a team and organizational muscle that requires regular exercise.  It can be fun, enlightening and interesting! This means we get together for threat modeling exercises on at least a monthly basis, if not more frequently. Sometimes we'll threat model a given feature, and other times we’ll pick a sample scenario to model and discuss. For some added fun, sometimes we’ll even get together to model threats around a given theme, event, or season.

In addition, we strive to include a wide range of teammates across Vanta in our exercises. This can depend on the topic at hand but often includes individuals from our Enterprise Engineering, Privacy, Risk, & Compliance, Engineering, and Product teams, as well as from our operational and customer-facing teams. Not only does this help evolve our individual mental models of risk, but it also widens our collective lens on hidden risks and opportunities for improvement across the organization to make more informed decisions. 

Keep in mind that if you’re focusing on a specific feature or project, it’s helpful to start as early as possible, such as in the design phase. This lowers the cost of any big changes that need to be made.

What are the core steps you follow?

 Here are the core steps we follow for our threat modeling exercises:

1. Define your goals

Discuss and agree upon what your collective goals are for your threat modeling exercise, and jot this down to help ensure all teammates are on the same page. This could be to model threats for a given feature or project, or something more broad—such as to help inform your team’s planning for a given quarter. Defining your goals up front can help you keep your discussion more focused.

2. Define your scope

Identify the data, systems, and processes at hand that you’re protecting and understand how they’re used, as well as any dependencies. This helps your team to go into greater depth than they could if you had to keep expanding the breadth of your focus.

3. Identify threats

Brainstorm the most significant threats that could compromise the confidentiality, integrity, or availability of your system. While we often consider external attackers, be sure to also consider internal actors, whether intentional or unintentional.

4. Identify controls

Enumerate the controls that are either in place or could be put into place to mitigate each threat, including both preventative and detective controls. 

5. Identify gaps

Model in the gaps that could result in controls failing to block a particular threat. For example, anti-malware doesn’t always detect the malware. What would happen next? What would the next stage of the attack be? Do you have further controls for that step?

6. Next steps

Based on the discussion, identify action items and make sure you address them. Walk away better informed and make good decisions!

During our threat modeling exercises, we use diagramming tools to communicate and connect information and create a clear visual representation of your threat model. This is particularly beneficial during exercises that incorporate a variety of stakeholders—we view these diagrams as primarily for those who are in the room instead of as an artifact for the future.

While we’ve experimented with a variety of tools, we tend to use Deciduous or a lightweight model in FigJam that allows us to collaborate and communicate effectively.

Ex: Sample of a lightweight threat modeling diagram

Tips for threat modeling

An important point to remember is that there are many approaches to threat modeling. Our recommendation is to find what works best for your organization to ensure that you’re able to threat model effectively when you need it most, instead of running an arduous exercise that’s both operationally challenging and outdated quickly.

Here are a few suggestions we have for ensuring threat modeling exercises run smoothly:

  • Your team: Assemble a cross-functional team to ensure you’re incorporating diverse perspectives—such as teammates across your security, engineering, business, and operations teams. This can help reduce observational bias (e.g. the streetlight effect) when modeling threats. Be sure to share context beforehand or at the start of the session, especially if it’s your organization’s first time running a threat modeling exercise.
  • Your roles: Assign clear roles and responsibilities ahead of time. For example, decide who’ll help run the exercise, update the threat model in real-time, and identify anyone who might play a specific role—such as teammates who represent the perspectives of the adversary, defender, developer, etc.
  • Your tools: Identify which tools you’ll use and ensure you’re familiar with how they work prior to threat modeling. Remember, the point is to help create a high-bandwidth information session, not necessarily to capture your discussion for later. 

Additional resources

Our goal is to make more informed decisions every day, and we hope you find threat modeling as fun, interesting, and valuable of an exercise as we do. 

If you’re looking to learn more about threat modeling, whether individually, for your team, or even for your organization, here are a few resources that have been helpful for us:

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.