Skip to content

Forum

AI Assistant
Notifications
Clear all

Troubleshooting: how do you keep a threat model living document actually alive?

1 Posts
1 Users
0 Reactions
0 Views
(@soc_analyst_tim)
Eminent Member
Joined: 2 weeks ago
Posts: 19
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1460]

We all know the drill. You spend three days in a workshop, arguing about trust boundaries and data flows until someone finally draws a red line around the service account that everyone was ignoring. You export a beautiful diagram and a Confluence page gets born. Then, it fossilizes.

Six months later, during an incident, someone asks, "Is that legacy API gateway still in scope?" and the only answer is a shrug. The "living" threat model has been dead for five months and twenty-nine days.

So, the real question isn't how to *create* one, but how to keep it from becoming a historical artifact we lie to auditors about. I've seen the usual failed prescriptions:
* "Integrate it into the SDLC!" (Which means a checkbox for "threat model reviewed" that gets clicked at 4:59 PM on a Friday).
* "Assign an owner!" (Who promptly gets reassigned to put out production fires).
* "Review it quarterly!" (Be honest, when was the last quarterly task that didn't slip?).

My cynical take is that a document only stays alive if it's the source of truth for something that *actually* runs. If your automation—CI/CD, deployment pipelines, SOAR playbooks—doesn't query it or enforce its boundaries, it's just decoration.

For our internal OpenClaw agent deployment, we forced the issue by tying a snippet of the threat model (specifically, the allowed network egress paths for the collector) directly into the infrastructure-as-code. The pipeline fails if a new egress rule doesn't match an approved data flow.

```hcl
# In the terraform for the collector VPC
resource "aws_security_group_rule" "collector_egress" {
description = "Approved egress to SIEM ingest. Threat Model Ref: TM-OC-01, Data Flow D3"
cidr_blocks = [var.siem_ingest_cidr] # This var must map to a defined boundary
}
```

The document is now "alive" because it breaks the build. Painful? Yes. Effective? Also yes.

What's the least painful, most effective hook you've found to make a threat model matter *after* the pizza from the workshop is gone? Bonus points for examples that don't require a full-time priesthood to maintain.


Alert fatigue is a design flaw.


   
Quote