- How does Automated Threat Modeling Work?
- What Tooling can be Used for Automated Threat Modeling?
- What are the Disadvantages of using Automated Threat Modeling?
- Can Automated Threat Modeling Work with Threat Modeling Frameworks?
- What are the Steps Involved in Automated Threat Modeling using the Aristiun Tool?
- A Comparison of Automated Threat Modeling Versus Manual Threat Modeling
- Conclusion
Automated threat modeling is the process of threat modeling and utilizing as much automation as possible, reducing the amount of manual work needed by team members, or security team members and improving the quality of threat modeling results. It uses Artificial Intelligence (AI) to achieve automation.
Aristiun provides threat modeling solutions that allow you to quickly start threat modeling with automation. In this article, we’ll explain how we achieve this, and how it can help you with threat modeling! If you’d like to start, use the contact page.
Automated threat modeling has a number of advantages over manual threat modeling:
- It requires less time from team members and security team members, which drives down the overall cost to the organization.
- By spending less time on threat modeling, it’s possible to perform more effective threat modeling and to perform threat modeling more often (i.e., periodically, or even upon each major change).
- It can yield more consistent and better results because you’re less dependent on the people performing the threat modeling.
- Larger threat libraries can be applied quickly by using automated threat modeling. This can lead to the application of more rigorous threats and countermeasures.
How does Automated Threat Modeling Work?
Automated threat modeling works by having automated processes (backed by AI) to perform key threat modeling steps.
Specifically, the automation helps by:
- Assessing diagrams automatically with AI, to understand the technical context. For example, by feeding a diagram into an automated threat modeling tool, the tool will determine key components that require threat analysis.
- Automatically assigning threats and countermeasures (security requirements) automatically based on the context of the application or solutions that are being threat modeled.
- Automatically checking whether countermeasures (security requirements) are met, by scanning the relevant environment (i.e., the hosting, or cloud hosting) for key security parameters against secure values.
What Tooling can be Used for Automated Threat Modeling?
Aristiun has tooling that performs automated threat modeling using AI.
The Aristiun tooling can automatically scan an architectural diagram or depiction of the application or solution to be threat modeled. It will assign threats and countermeasures (security requirements) that should be assessed or implemented. Further, the tooling can directly query Azure or AWS (and other cloud environments) for security adherence (to controls).
What are the Disadvantages of using Automated Threat Modeling?
Automated threat modeling can take away some of the thinking process, which is good to automate the process and save time, but can mean that team members are less involved, and learn ‘less’ compared with manual threat modeling. However, there are ways to lessen the impact, for example by including team members in the review and/or resolution of threats identified automatically using AI.
Can Automated Threat Modeling Work with Threat Modeling Frameworks?
Yes – automated threat modeling can work well with threat modeling frameworks such as STRIDE threat modeling and PASTA threat modeling.
The Aristiun automated threat modeling tool can align with existing threat modeling frameworks, by aligning identified threats and countermeasures according to framework definitions.
What are the Steps Involved in Automated Threat Modeling using the Aristiun Tool?
The following steps are involved in using the Aristiun tool:
- Your (team) action: Upload a diagram that depicts your application or solution (consisting of components such as web servers, databases, firewalls, etc.).
- AI action: The Aristiun tool analyses the diagram automatically and identified key components.
- AI action: Relevant threats and countermeasures are assigned to the key components automatically.
- Your (team) action: Verify threats determined by AI for relevance.
- Your (team) action: For valid threats, develop countermeasures or security requirements.
- AI action: the Aristiun tool can directly scan the cloud environment to verify whether security measures have been taken.
A Comparison of Automated Threat Modeling Versus Manual Threat Modeling
Let’s compare automated and manual threat modeling:
| Manual Threat Modeling | Automated Threat Modeling | |
| Process | A team works together to develop a diagram of the application or solution. Based on the diagram (which provides understanding), threats are developed (highlighting weaknesses and areas of concern). Countermeasures or security requirements are developed to mitigate threats. Teams must then implement the countermeasures and security requirements. | An existing diagram is upload to the automated threat modeling solution. The automated threat modeling solution assigns threats and countermeasures (security requirements). Teams must then implement the countermeasures and security requirements. |
| Time taken | Significant time is required by the team to perform threat modeling. Additional time is required to actually implement security requirements. | Limited time is required by the team for threat modeling. Additional time is required to actually implement security requirements. |
| Knowledge of threat modeling required | Significant knowledge is required by the team (or a team member) to perform manual threat modeling. | Limited knowledge is required for automated threat modeling. |
| Training requirements | Training requirements are high, because knowledge is required. | Training requirements are low, because AI performs the most difficult parts. |
| Quality | Quality can be high, but is dependent on level of knowledge of team members involved. | Quality is high because the automated (or AI) tool provides key threat modeling implementation. |
| Scalability | Manual threat modeling is difficult to scale, because teams require training (which is difficult and costly to scale). Furthermore, team members leave, and new team members require additional training. | threat modeling with automation can be scaled easily (by applying the threat modeling techniques more frequently). |
Conclusion
Threat modeling can be a time-consuming activity. However, with automated threat modeling by Aristiun, you are able to save time, while performing effective threat modeling, especially if teams are understaffed, or perhaps unaware of security best practices.
