This document discusses approaches for cybersecurity portfolio management. It addresses questions around identifying necessary versus unnecessary security products, gaps and overlaps in an existing portfolio, and defining a security strategy. Various frameworks are presented for conducting a structured portfolio analysis, including the OWASP Cyber Defense Matrix, CyberARM, Gartner's Security Posture Assessment, and the US-CCU Cyber-Security Matrix. Effective use of an existing security portfolio involves identifying control overlaps, integrating products, automating workflows, replacing multiple products, optimizing configurations, and ensuring appropriate coverage of assets based on a threat model.

1. CyberSecurity Portfolio
Management : Approaches
Bikash Barai, Ravi Mishra

2. What problems are we trying to discuss here?
• What Security Products Do We Really Need & Don’t?
• How do we Identify Gaps & Overlaps in Portfolio?
• How do we define our Security Products Strategy?
• What security products can be replaced or dropped?
• How do we understand & categorize security vendors using a
standardized approach?
• How do we make the optimal use of my existing cybersecurity
products portfolio?

3. Current State of Security Spending
• Mostly Ad-hoc / Unplanned spending
• Overinvested in Some Areas
• Underinvested in Some Areas
• Sub-optimal choices
• How Many Security Tech do You Need to start the security program:
• As per 451 Research – Experts View:
• Range from 4 to 31
• Generally – PCI as baseline

4. Shelfware – What’s Most Likely to End up there?
Source: Javvad Malik, 451 Research

5. And Why?
Source: Javvad Malik, 451 Research

6. CyberSecurity Tech Spending : Approaches
• Compliance Driven – What’s the minimum required to stay
compliant? (e.g.: PCI-DSS)
• Frameworks Based – What does NIST CSF / ISO 27001 etc. require?
• What are Others / Peers Doing?
• As a Vendor, what Customer Commitments do we have ?
• Budget Driven – How can we have 100% utilization of our FY budget?
• Based on Structured Portfolio Analysis – OUR FOCUS FOR TODAY
• What’s required for a balanced portfolio?
• Do we have enough / right controls based on our threat model?

7. Frameworks for Structured Portfolio Analysis
• OWASP - Cyber Defense Matrix (Sounil Yu)
• CyberARM – UNCC
• Gartner – Security Posture Assessment
• Security Architecture using Threat Modeling
• US‒CCU Cyber-Security Matrix

8. OWASP Cyber Defense Matrix
https://www.owasp.org/index.php/OWASP_Cyber_Defense_Matrix

9. OWASP - Cyber Defense Matrix
• Common Language Based on 5 Asset Classes & NIST CSF
Source: Sounil Yu, RSAC 2016 Presentation

10. Sample View – Based on Mapping Tech
Source: Sounil Yu, RSAC 2016 Presentation

11. Identify Gaps & Overlaps
Possible
Gaps
Possible
Overlaps
Source: FireCompass.com

12. Views Across Asset Owners – Not Just Org
Source: Sounil Yu, RSAC 2016 Presentation

13. Classify the Products you’re Evaluating
Source: Sounil Yu, RSAC 2016 Presentation

14. Use Cases Summary
1. Identify Gaps & Overlaps (Design Patterns)
2. Understand the Security Posture of Others (Vendors, Employee etc.)
3. Understand where Vendor’s Offerings Fit
4. How Solutions in One Area Support Others (e.g.: TI)
5. Identify Orchestration Patterns
6. Decide on Platform vs Product Approach

15. CyberARM
Gartner
US CCU

16. CyberARM :Enhancement of CDM
• Phases of kill-chain has been introduced as the 3rd dimension of CDM.
• Each class of security controls has now three attributes: Kill-Chain Phase, Enforcement Level, Security Function(SF).
KC Phase
Security
Function
Enforcement
level
Identify Protect Detect Respond Recover
People
Network
Device
Application
Data
Control
Exploit
Deliver
Recon
Weaponize
Execute
Maintain
Source: http://www.ccaa-nsf.org/cyber-defense-matrix.html

17. CyberARM
Source: http://www.ccaa-nsf.org/cyber-defense-matrix.html

18. Gartner: All Frameworks Are Rewordings of
the Same Stuff
Source: Gartner

19. Gartner: Security Posture Assessment
Source: Gartner

20. Gartner : Sample View for SaaS
Source: Gartner

21. Gartner: Five Styles of Advanced Threat Defense
Source: Gartner

22. US-CCU Cyber-Security Matrix
By U.S. Cyber Consequences Unit (US-CCU)
- www.usccu.us
Can ALSO use the Matrix to Evaluate
Defenses
• A method for assessing the collective
effectiveness of accumulated defensive measures
• A way of comparing and evaluating defensive
products and services
• A basis for quantifying Vulnerability in a way that
can be utilized in a rigorous risk analysis
*Automation ~ IoT Devices

23. Other Approaches – Nigel Wilson
Source: https://nigesecurityguy.wordpress.com/

24. Using Threat Modeling

25. Threat Modeling
Attacker Tradecraft Vulnerability Action Target Result Objective
Nation State - high motive; high
capability
Advertise wrong BGP
routes Excessive/improper access Spoof Ports Theft Financial Gain
Nation State - high motive; low
capability Cable physically severed User behavior ReRoute People Data loss
Intellectual
property
Nation State - low motive; low
capability DNS cache poisoning Zero day Copy IP addresses Control
Strategic
advantage
Hacktivist - Anonymous
SYN floods (denial of
service) Privilege escalation Read Big data Destroy Mayhem
Hacktivist - Lawsuit Data subpoenaed User manipulation Probe
Classified
Information
Reputational
damage Bragging Rights
Traditional attention seeking hacker Targeted phishing Unpatched systems Bypass Customer data Monetary loss Damage economy
Opportunist SQL Injection Posting personal data Flood Contacts Deny
Industrial
espionage
Malicious insider Cross-site scripting
Insecure application
development Deny Keys Shareholder action
Non-malicious insider (accident) Password cracking Known worm/virus Identity Fraud Credentials
Regulatory
investigation
Malicious privileged user
(administrator) Malware Masquerade
Physical theft Gain trust
Physical attack (guns/
bullets) Infiltrate
Social engineering
Source: Michael J. Lewis, Chevron

26. Current Control Set Versus a Threat
Source: Michael J. Lewis, Chevron

27. Putting it all together – Addressing the Threat
Maintain Maintain & Improve Implement
Patching, AV, Email Security Awareness Training Virtualized browser
Hardened build Incident Response (Crisis Management) Specialized threat detection / APT Sec
IPS (Intrusion Prevention System) SIEM
Source: Michael J. Lewis, Chevron

28. Magnificent 7
• Encryption
• SIEM
• Vulnerability Management
• IDS/IPS
• AV
• Firewalls / NGFWs
• Monitoring (General)
Source: 451 Research
Other Recommended Solutions:
• Email Security Gateways
• Phishing Simulation & Awareness
• Web Security Gateways
• Application Security Testing

29. How Do we Make the Best use of Existing
Investments?
1. Identify Control Overlaps – Tech which are protecting the same thing
with similar capabilities?
2. Integrations - Some products can greatly benefit by getting data from
others?
3. Orchestration - Reduce analyst workloads by automating workflows
4. Replacement - What products can replace multiple products and help us
save time & cost? Products vs Platforms
5. Configuration Optimizations – Are we using the recommended settings?
6. Deployment Footprint – Can security tech in one area be extended to
other? Can it be tweaked to do more than it does now? (E.g.: DLP)
7. People – Do we have enough trained people and are they using it
correctly?

30. Are we Securing the right things?
• Crown Jewels
• Users
• Data – PII, PHI, Financial, IP, Employee, Vendors etc.
• Employee Assets
• Cloud Infra – SaaS, PaaS, IaaS? (and email if applicable)
• Shadow IT
• Applications, Networks, Endpoints
• IoT
• Vendor Access to Systems / Networks / Data

31. Thank You!