In this interview with Archie Agarwal, Founder and CEO of ThreatModeler, he sheds his insights on their flagship solution for threat modeling and how they help organizations to ensure cybersecurity.
What were the founding factors that led to the conception of ThreatModeler?
We founded the company in 2010 and we developed a proof of concept product. In order to validate the effectiveness of the product we reached out to cyber security experts and received their feedback. Later in 2013, we decided to launch ThreatModeler as a commercial product. Since then, we have grown significantly and automated the process of threat modeling from a policy compliance perspective. We have the technological capability that can empower organizations to overcome security challenges from a security decision making perspective. We are uniquely positioned to cater to the increasing security demands of the current market.
Tell us more about your threat modeling platform?
Our platform provides a collaborative approach to threat modeling using detailed, UML (Unified Modeling Language) or data flow diagramming. The client gets both the visual component and a behind-the-scenes view of different technology components of threat modeling added to the diagram. We give them the ability to derive the security requirements that are mapped to these threats.
ThreatModeler Cloud Edition automatically builds threat models for cloud infrastructures, managing potential threats for AWS and Azure environments. Our out-of-the-box cloud security solution provides an understanding of organizations’ entire attack surface and empowers enterprises to manage their risks more effectively. ThreatModeler Cloud Edition effortlessly integrates with the CICD pipeline allowing DevOps teams to build a secure cloud infrastructure.
Our platform provides a collaborative approach to doing the threat modeling and we follow a granular approach to threat modeling using detailed, UML or data flow diagramming
Threat modeling has been historically a resource intensive, time consuming process. For the same reasons, companies are forced to limit their scope to a single, isolated application. This approach has significant flows. Companies who limit themselves to four or five threat models cannot develop a comprehensive understanding of their attack surface. If the security team and CISO of an organization fail to understand the attack surface deeply, there is no point in investing in threat modeling. Such a limited scope fails to give the CISO information about the organizations’ overall threat level and effectiveness of the current security initiatives undertaken.
Unlike the traditional approach, we focus on reducing the attack surface, and execute threat modeling for a variety of different applications to provide a big-picture about the security posture of an organization. This also enables the CISO to justify new budget requests or prioritize activities. Empower your security and development teams to identify high-level threats or areas where data could be exposed early on in the development phase—before they become a bigger problem. We enforce security standards by actively disseminating and promoting the use of secure code across the entire organization. As we focus on penetration testing on the most critical entry points in the applications to provide additional security. Additionally, we classify threats based on the risk levels and predict the outcomes in the event of a successful attack.
We are also providing continuity to the threat modeling process; they’re difficult to carry forward. That’s where a tool or platform like ThreatModeler makes all the difference, being able to fulfill this practice.
What are some of the key differentiators of ThreatModeler?
Our competitors focus mostly on compliance requirements when it comes to enterprise security. This “checking-the-box” way of cybersecurity is no alternative to tackle attacks. On the other hand, ThreatModeler comes with a collaborative approach by making use of architecture diagrams. Through this, the CISO of an organization can obtain a profound level of understanding about the security posture of their critical assets and the control measures that need to be put in place to mitigate them.
Is there a client success story that you want to highlight?
One of our customers had a team of security architects who were executing threat modeling either with TMT or some other approach. It took between 40 to 60 hours for that model to be built. When they started working with ThreatModeler, their time to build the threat model came down to three and a half hours. The client is now able to save a substantial amount of time, not to mention that most of the processes are now automated. This resulted in developing more threat models with the same number of resources as the applications were evolving. This helped them tremendously in their threat modeling process. The client is now getting to a point where they want to roll it out as a self-service model to all their development teams so that they build and maintain their own threat models.
What does the future hold for ThreatModeler?
Lately, we have been focusing more on automation and applying it on various critical processes that govern threat modeling. Meanwhile, we are taking feedback from our clients and using them for upgrading the features and functionalities of our platform.