This document discusses approaches for cybersecurity portfolio management. It addresses questions around identifying necessary versus unnecessary security products, gaps and overlaps in an existing portfolio, and defining a security strategy. Various frameworks are presented for conducting a structured portfolio analysis, including the OWASP Cyber Defense Matrix, CyberARM, Gartner's Security Posture Assessment, and the US-CCU Cyber-Security Matrix. Effective use of an existing security portfolio involves identifying control overlaps, integrating products, automating workflows, replacing multiple products, optimizing configurations, and ensuring appropriate coverage of assets based on a threat model.
2. What problems are we trying to discuss here?
• What Security Products Do We Really Need & Don’t?
• How do we Identify Gaps & Overlaps in Portfolio?
• How do we define our Security Products Strategy?
• What security products can be replaced or dropped?
• How do we understand & categorize security vendors using a
standardized approach?
• How do we make the optimal use of my existing cybersecurity
products portfolio?
3. Current State of Security Spending
• Mostly Ad-hoc / Unplanned spending
• Overinvested in Some Areas
• Underinvested in Some Areas
• Sub-optimal choices
• How Many Security Tech do You Need to start the security program:
• As per 451 Research – Experts View:
• Range from 4 to 31
• Generally – PCI as baseline
4. Shelfware – What’s Most Likely to End up there?
Source: Javvad Malik, 451 Research
6. CyberSecurity Tech Spending : Approaches
• Compliance Driven – What’s the minimum required to stay
compliant? (e.g.: PCI-DSS)
• Frameworks Based – What does NIST CSF / ISO 27001 etc. require?
• What are Others / Peers Doing?
• As a Vendor, what Customer Commitments do we have ?
• Budget Driven – How can we have 100% utilization of our FY budget?
• Based on Structured Portfolio Analysis – OUR FOCUS FOR TODAY
• What’s required for a balanced portfolio?
• Do we have enough / right controls based on our threat model?
14. Use Cases Summary
1. Identify Gaps & Overlaps (Design Patterns)
2. Understand the Security Posture of Others (Vendors, Employee etc.)
3. Understand where Vendor’s Offerings Fit
4. How Solutions in One Area Support Others (e.g.: TI)
5. Identify Orchestration Patterns
6. Decide on Platform vs Product Approach
16. CyberARM :Enhancement of CDM
• Phases of kill-chain has been introduced as the 3rd dimension of CDM.
• Each class of security controls has now three attributes: Kill-Chain Phase, Enforcement Level, Security Function(SF).
KC Phase
Security
Function
Enforcement
level
Identify Protect Detect Respond Recover
People
Network
Device
Application
Data
Control
Exploit
Deliver
Recon
Weaponize
Execute
Maintain
Source: http://www.ccaa-nsf.org/cyber-defense-matrix.html
22. US-CCU Cyber-Security Matrix
By U.S. Cyber Consequences Unit (US-CCU)
- www.usccu.us
Can ALSO use the Matrix to Evaluate
Defenses
• A method for assessing the collective
effectiveness of accumulated defensive measures
• A way of comparing and evaluating defensive
products and services
• A basis for quantifying Vulnerability in a way that
can be utilized in a rigorous risk analysis
*Automation ~ IoT Devices
23. Other Approaches – Nigel Wilson
Source: https://nigesecurityguy.wordpress.com/
25. Threat Modeling
Attacker Tradecraft Vulnerability Action Target Result Objective
Nation State - high motive; high
capability
Advertise wrong BGP
routes Excessive/improper access Spoof Ports Theft Financial Gain
Nation State - high motive; low
capability Cable physically severed User behavior ReRoute People Data loss
Intellectual
property
Nation State - low motive; low
capability DNS cache poisoning Zero day Copy IP addresses Control
Strategic
advantage
Hacktivist - Anonymous
SYN floods (denial of
service) Privilege escalation Read Big data Destroy Mayhem
Hacktivist - Lawsuit Data subpoenaed User manipulation Probe
Classified
Information
Reputational
damage Bragging Rights
Traditional attention seeking hacker Targeted phishing Unpatched systems Bypass Customer data Monetary loss Damage economy
Opportunist SQL Injection Posting personal data Flood Contacts Deny
Industrial
espionage
Malicious insider Cross-site scripting
Insecure application
development Deny Keys Shareholder action
Non-malicious insider (accident) Password cracking Known worm/virus Identity Fraud Credentials
Regulatory
investigation
Malicious privileged user
(administrator) Malware Masquerade
Physical theft Gain trust
Physical attack (guns/
bullets) Infiltrate
Social engineering
Source: Michael J. Lewis, Chevron
29. How Do we Make the Best use of Existing
Investments?
1. Identify Control Overlaps – Tech which are protecting the same thing
with similar capabilities?
2. Integrations - Some products can greatly benefit by getting data from
others?
3. Orchestration - Reduce analyst workloads by automating workflows
4. Replacement - What products can replace multiple products and help us
save time & cost? Products vs Platforms
5. Configuration Optimizations – Are we using the recommended settings?
6. Deployment Footprint – Can security tech in one area be extended to
other? Can it be tweaked to do more than it does now? (E.g.: DLP)
7. People – Do we have enough trained people and are they using it
correctly?
30. Are we Securing the right things?
• Crown Jewels
• Users
• Data – PII, PHI, Financial, IP, Employee, Vendors etc.
• Employee Assets
• Cloud Infra – SaaS, PaaS, IaaS? (and email if applicable)
• Shadow IT
• Applications, Networks, Endpoints
• IoT
• Vendor Access to Systems / Networks / Data