Guest blog courtesy of D3 Security.
Context is key. At least, that’s what Tony UcedaVelez explains on the Let’s SOC About It podcast. And in Tony’s words, threat modeling “contextualizes threats, vulnerabilities, and attack patterns so that a product owner [can] understand what threats are really impactful.”
In this episode of Let’s SOC About It, the podcast by D3 Security, you hear from Tony UV, CEO and Co-founder of VerSprite Security, an MSSP based in Atlanta, Georgia. Amy Tom, D3’s Community Manager, sits down with Tony to ask how he packages Threat Modeling as a Service, how he creates a threat model, and how context strengthens security posture.
When MSSPs combine threat modeling methodologies (like PASTA) with an automation platform like D3, they offer better, faster, and more accurate threat response. They do this by:
1. Improving risk identification with threat modeling
2. Offering better contextualization of risks with enriched alert data
3. Proactively mitigating risks based on industry-specific intelligence
Tony also talks about the PASTA methodology (Process for Attack Simulation and Threat Analysis), his risk-centric approach to threat modeling that delves even deeper than the MITRE ATT&CK Matrix. PASTA allows businesses to map the attack surface to identify and mitigate industry-specific threats. PASTA emphasizes the business impact of threats, making the risk understandable to everyone across the organization. As Tony further explains, MSSPs can use the Fork Community Tool to evaluate a hierarchy of industry-specific threats that their customers face. MSSPs can use that information to create a targeted approach to risk mitigation that proactively addresses risks.
Episode Highlights
1. What is Threat Modeling? (00:00-03:04) Tony UV defines threat modeling as the process of building a model of potential threats to an organization. Unlike operational tasks like threat hunting and analysis, threat modeling is strategic and aims to identify potential risks early on, such as those affecting an entire company (ex: a bank) or a specific product (ex: software applications).
2. Building a Threat Model (03:04-06:12) A threat model includes a list of threats, attack patterns, vulnerabilities, and associated business impacts. These models can take many forms, from simple text descriptions to complex diagrams. The goal is to contextualize threats and align them with the organization's needs, differentiating it from operational tools like pen tests and vulnerability scans.
3. Contextualizing Threats (06:12-09:24) Tony explains how threat modeling brings context to threat detection. Instead of relying on generic industry reports, threat modeling tailors security measures to the specific needs and risks of a business, just as personal security varies based on geographic location (ex: Topeka vs. Atlanta).
4. Pasta Methodology for Threat Modeling (09:24-12:22) Tony introduces the PASTA methodology (Process for Attack Simulation and Threat Analysis), a risk-centric approach to threat modeling. Developed in 2015, this methodology involves seven steps, from understanding an application’s attack surface to correlating vulnerabilities with threats, making threat modeling more actionable and business-relevant.
5. Threat Modeling as a Service (12:22-17:53) Tony discusses how VerSprite Security offers threat modeling as a service, helping organizations implement threat modeling practices, especially for large companies with thousands of applications. They use a custom tool, "Fork," to streamline the process and provide clients with detailed reports on their threat libraries, vulnerabilities, and risks. VerSprite helps customers understand threat models using visual tools like spider graphs and other charts.
6. Using the Fork Community Tool (17:53-26:32) Tony advises people to check out the Fork Community Tool, which provides free access to industry-specific JSON threat libraries. It also provides tools to visualize risks for industries such as energy, retail, healthcare, and more. Tony also discusses how contextualizing threats with industry-specific data is key to identifying and prioritizing threats.
