A Threat-Driven Approach to Cyber
Security
Methodologies, Practices and Tools to Enable a Functionally Integrated Cyber
Security Organization
Michael Muckin, Scott C. Fitch
Lockheed Martin Corporation
Abstract
Contemporary cyber security risk management practices are largely driven by compliance
requirements, which force organizations to focus on security controls and vulnerabilities.
Risk management considers multiple facets – including assets, threats, vulnerabilities and
controls – which are jointly evaluated with the variables of probability and impact.
Threats cause damage to information systems. Threats utilize vulnerabilities to enact this
damage, and security controls are implemented to attempt to prevent or mitigate attacks
executed by threat actors. The unbalanced focus on controls and vulnerabilities prevents
organizations from combating the most critical element in risk management: the threats.
This unbalanced condition is manifested as incident response processes rather than threat
intelligence management in the analyst realm, adherence to predefined standards and
policies in security architecture and engineering practices, and compliance verification in
the operational domain.
A functionally integrated cyber security organization is structured to place threats at the
forefront of strategic, tactical and operational practices. Architects, engineers and
analysts adhere to a common methodology that incorporates threat analysis and threat
intelligence across systems development and operational processes. This ensures security
controls are implemented, evaluated and adjusted over time per the most impactful
threats and attack vectors. The resultant risk management practices are enhanced due to a
higher fidelity of information regarding current state security postures. This drives
improved resource allocation and spending, and produces an agile and resilient cyber
security practice. When this threat-driven approach is implemented along with tailored
compliance processes, organizations can produce information systems that are both
compliant and more secure.
Keywords: threat modeling, attack trees, threat profiles, threat intelligence, threat and risk, security
controls, cybersecurity, compliance
© Lockheed Martin Corporation
