Building Business-relevant Application Threat Models with FAIR STRIDE

Historically, there has been a disconnect between what security engineers see as risks or threats and how these risks are perceived by business leaders. FAIR STRIDE is a novel approach to driving strategic initiatives with business-relevant application threat models. 

Mikko Hyppönen pointed this out concisely during his keynote at RMISC 2019 by stating: “In security, when we do our jobs right, nothing happens.” In reality, this is not the case, but we have to observe the situation through a lens that can bring a security program’s value to light. In the scope of application security, the disconnect happens when security engineers express the impact of vulnerabilities on systems and applications, rather than their impact on the business itself.

On the one hand, an application security team enables the business to sell trustworthy products, usually by fulfilling compliance frameworks like SOC2 or ISO 27001. On the other hand, when security teams do their jobs right they prevent monetary losses from being inflicted on the company without slowing down the business.

To drive strategic planning and growth, the impact of any security initiative needs to be measured in a language that senior leaders and executives care about: dollars. A list of high, medium, and low severity bugs is not sufficient for this purpose. For the C-suite, the impact of losses should be measured in the form of bounties or ransoms paid, sales opportunities lost, litigation, incident response processes, PR campaigns, customer churn, etc. 

This article will examine how the FAIR STRIDE approach can help senior security leaders better understand the business justifications for maintaining or increasing your company’s security budget. First, we will describe how to enumerate threats with STRIDE. Then we will give a short primer on quantitative risk methods like FAIR. Finally, we will talk about how to combine the two to build threat models that can speak “business.”

STRIDE is a threat modeling framework created by Microsoft. It’s a systematic approach to enumerating threats against an asset by classifying the possible threats as either:

• Spoofing

• Tampering

• Repudiation

• Information disclosure 

• Denial of service

• Elevation of privilege

The output from STRIDE is a set of threats that can be mitigated based on their severity, usually classified as critical, high, medium, or low. 

The shortcoming of this approach is that it expresses its output as an ordinal scale. These scales are good at providing order between the elements that comprise them, however, they are not suitable for basic algebra. For example, it is not possible to answer a simple question like:  “Should I fix 1 high, 12 mediums, or 75 lows?” or “What is Low + Medium equal to?”

FAIR is a quantitative risk analysis framework, the acronym stands for: 

• Factor 

• Analysis in 

• Information 

• Risk

At a high level, FAIR analyzes risk by breaking each threat into the likelihood of an event occurring and its magnitude. The estimates that are provided by different SMEs in your business are then used as input for a Monte Carlo simulation which will extrapolate your uncertainty by generating some “historical” data using a simulation. Each iteration of the simulation will create a year of “historical” data.

You can then repeat the simulation, say, 1000 times and have 1000 years of “historical” data to analyze. This is very powerful, especially considering that in some areas of security, there often is almost no actual historical data available. The output from the simulation can then be aggregated to create a loss exceedance curve (LEC). More on that in a bit.

As the name suggests, FAIR STRIDE is an amalgamation of the threat enumeration provided by STRIDE and the quantitative methods of FAIR. By using this process, the output from STRIDE can be expressed in simulated dollars lost, rather than highs, mediums, and lows. 

Here’s how FAIR STRIDE works: 

For each threat identified in STRIDE, an SME needs to estimate:

• A probability P of an event occurring over the next 12 months.
  
  

• A 90% confidence interval for the financial impact this event might have if a compromise or incident occurs. Loss types that might be used to break down impact could be:
  
  

  • Engineering cycles 

  • IR/BCP/DR processes 

  • PR campaigns 

  • Customer churn 

  • Employee churn 

  • Litigation 

  • Responsible disclosure
    
    

This interval will be used as input to calibrate a log-normal distribution to describe our uncertainty, we chose this distribution because it has a long tail and no negative values.

Now we need to select a random value between 0 and 1:

• If the random value is less than, or equal to, the estimated probability P:

   

  • We choose a randomly selected value on the log-normal distribution we calibrated. This will be our loss for that event in that iteration of the simulation.

     

• If the random value is greater than the estimated probability P:

   

  • The loss for that event in that iteration of the simulation will be $0.

With these losses now enumerated for all threats, we can then run a Monte Carlo simulation that will output a loss exceedance curve, instead of using the usual CVSS score calculator which will map you to that high, medium, low, ordinal scale.

This is incredibly powerful for comparing seemingly unrelated elements of our program. For example, we can compare the value of one bug class to another (XSS vs clickjacking vs SSRF), or weigh the value of improving a process against technical control.

TL;DR about loss exceedance curves 

Loss exceedance curves, or LECs, are an aggregation of the output from the Monte Carlo simulation. If we have 1000 years of simulated data, we can now count the number of years where the loss was X dollars or more and have an answer to: “What is the probability that we will lose X dollars over the next year?” If we repeat that question incrementally from $0 lost to, say, $100M and plot the answer, we get an LEC.

Using LECs as strategic baselines, goal posts, and measurements of progress:

Mock Model:  Download >>

Baseline (inherent risk LEC):

The baseline posture, or inherent risk, is represented by the LEC that’s produced by our first pass at FAIR STRIDE for an application.

Goal post (risk tolerance LEC):

The goal post needs to be defined by the business, usually by senior leadership or executives depending on your org structure. If your leadership team is not sure how to set a goal post, ask for a few data points on their willingness to accept an X% chance per year of losing more than Y dollars.

In these conversations, you can define Y as, for example, $500k, then $5M, then $50M, and have the business determine what’s an acceptable X% for each of them. We can then interpolate those data points into a “goal post” LEC that all parties involved have bought into.

Measurement of progress (inherent vs. residual risk LECs):

We previously mentioned that we can use LECs to compare seemingly unrelated elements of our program. In risk terms, this means comparing the inherent risk LEC (baseline) to the residual risk LEC that is a result of us reducing either the probability of a loss event occurring or the impact of a loss event. 

There are several ways to measure that delta, or progress, between the two LECs. The option you pick will largely depend on what senior leadership cares about. Some businesses might want to focus on the tail end of the curve, say at the 80th percentile, while others are comfortable comparing the area under both curves, either using a Reimann sum or an integral.

So, what have we learned in this post? We can gain great strategic insight into the value of our initiatives by piping the output of a STRIDE threat model into a Monte Carlo Simulation rather than a CVSS score calculator. The resulting LECs allow us to set business-relevant goals, quantify our current posture, and measure our progress over time, by having all stakeholders speaking a common language: dollars.

I would also like to give a shout-out to three epic resources that were key to building FAIR STRIDE:

• Clint Gibler’s excellent keynote at BSidesSF 2020 was “How to 10X Your Company’s Security (Without a Series D)” (be sure to check out his phenomenal newsletter TL;DR sec)

• Douglas Hubbard and Richard Seiersen’s very thorough book: How To Measure Anything in Cybersecurity Risk

• And of course, the FAIR institute