Threat modeling and IT risk assessment is known to be time consuming and difficult. This includes both the process of gathering information for the models and the actual assessment of risks. With securiCAD you can automate both activities by utilizing data you already have available and running quantitative attack simulations automatically.
Have you also experienced large programs aiming to do holistic modeling for an entire organization (don’t mention the word enterprise architecture), but failing miserably? This is not uncommon and many organizations are rethinking their strategy when it comes to holistic systems modeling. Often this means starting small and building a successful business case to continue from. However, you don’t need to start small. With securiCAD by foreseeti you can automate the build of your IT infrastructure threat model by using data already available in your organization. For instance, cloud configurations, network and/or vulnerability scans, firewall configurations, inventory systems et cetera. securiCAD will automatically process the relevant information from each data source and combine them into one complete model of your IT infrastructure. The automatic model generation process can also be combined with manually created models to represent systems where no data is available or parts of the infrastructure that is not yet in production.
Furthermore, most threat modeling applications are based on manual analysis of the model and trying to figure out if your system is secure or not. With securiCAD the analysis is automated by running simulated attacks across the entire IT infrastructure. The simulations test all types of attacks taking known vulnerabilities and implemented countermeasures into account. Since the simulations are based on probabilistic statistics (Bayesian networks) it can also calculate the probability of zero-day vulnerabilities occurring and what their impact would be.
The only thing you as an end-user need to do is tell the model what assets that are most critical for you. Based on the attack simulation probabilities and the consequence of successful attacks to certain assets a risk assessment is provided. Since the tool is not only for modeling and assessing the current state you can run different scenarios (for instance potential improvements) and see what affect these would have. For example: will the risks go down? If so, how much compared to other scenarios? With the securiCAD API, users can get continuous risk assessments and automatically generated reports in securiCAD for tactile feedback on their risk exposure over time and manage vulnerabilities based on objective and data-driven threat and risk simulations.
Article by: Robert Lagerström, Associate Professor in Software Systems Architecture & Security, KTH & foreseeti