SlideShare a Scribd company logo

Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (RSA Conference 2016)

S
Sounil Yu

The Cyber Defense Matrix enables organizations to define clear categories for the range of products and services that are available in the marketplace to solve our various infosec problems. This model removes confusion around the security technologies that we buy and helps organizations align their vendors to have the right suite of capabilities to execute their information security mission. See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded See the 2022 version at: http://bit.ly/cyberdefensematrixrevolutions

Technology
1 of 27
Download to read offline
SESSION  ID: #RSAC Sounil  Yu Understanding  the  Security   Vendor  Landscape  Using  the   Cyber  Defense  Matrix PDIL-­‐W02F @sounilyu
#RSAC Disclaimers 2 The  views,  opinions,  and  positions  expressed  in  this  presentation   are  solely  my  own It  does  not  necessarily  represent  the  views  and  opinions  of  my   employer  and  does  not  constitute  or  imply  any  endorsement   from  or  usage  by  my  employer All  models  are  wrong,  but  some  are  useful -­‐ George  E.  P.  Box @sounilyu
#RSAC Our  industry  is  full  of  jargon  terms  that  make it  difficult  to  understand  what  we  are  buying   3 To  accelerate  the  maturity  of  our  practice,  we  need  a  common  language @sounilyu
#RSAC Our  common  language  can  be  bounded  by  five  asset   classes  and  the  NIST  Cybersecurity  Framework 4 Operational  FunctionsAsset  Classes DEVICES Workstations,  servers,  VoIP  phones,   tablets,  IoT,  storage,  network   devices,  infrastructure,  etc. The  software,  interactions,  and   application  flows  on  the  devices The  connections  and  traffic  flowing   among  devices  and  applications The  information  residing on,  traveling  through,  or  processed   by  the  resources  above The  people  using  the  resources   listed  above APPS NETWORKS 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DATA USERS IDENTIFY PROTECT DETECT RESPOND RECOVER Inventorying  assets  and  vulns,   measuring  attack  surface,  baselining normal,  risk  profiling Preventing  or  limiting  impact,   patching,  containing,  isolating,   hardening,  managing  access,  vuln remediation Discovering  events,  triggering  on   anomalies,  hunting  for  intrusions,   security  analytics Acting  on  events,  eradicating  intrusion   footholds,  assessing  damage,   coordinating,  reconstructing  events   forensically Returning  to  normal  operations,   restoring  services,  documenting   lessons  learned @sounilyu
#RSAC Introducing  the  “Cyber  Defense  Matrix” 5 Devices Applications Networks Data Users Degree  of Dependency Identify Protect Detect Respond Recover Technology People Process @sounilyu
#RSAC Left  and  Right  of  “Boom” 6 Identify Protect Detect Respond Recover Technology People Process Pre-­‐Event Structural  Awareness Post-­‐Event Situational  Awareness Devices Applications Networks Data Users Degree  of Dependency @sounilyu
#RSAC Enterprise  Security  Market  Segments 7 Identify Protect Detect Respond Recover Technology People Process IAM Endpoint  Visibility  and  Control  / Endpoint  Threat  Detection &  Response Configuration and  Systems Management Data Labeling App  Sec (SAST,  DAST, IAST,  RASP), WAFs Phishing Simulations DDoS Mitigation Insider  Threat  / Behavioral Analytics Network Security (FW,  IPS) DRM Data Encryption, DLP IDS Netflow Full  PCAP AV,  HIPS Deep  Web, Brian  Krebs, FBI Backup Phishing Awareness Devices Applications Networks Data Users Degree  of Dependency @sounilyu
#RSAC We  care  about  more  than  just  the  assets  that   are  owned  and  controlled  by  the  enterprise 8 Threat  Actors Vendors Customers Employees Enterprise  Assets • Devices  -­ user  workstations,  servers,   phones,  tablets,  IoT,  peripherals,  storage,   network  devices,  web  cameras,   infrastructure  devices,  etc. • Applications -­ The  software,  interactions,   and  application  flows  on  the  devices • Network -­ The  connections  and  traffic   flowing  among  devices  and  applications • Data -­ The  information  residing on,  traveling  through,  or  processed  by  the   resources  listed  above • Users  – The  people  using  the  resources   listed  above 01001101010110101001 10110101010101101010 Operational  Functions • Identify  – inventorying  assets  and   vulnerabilities,  measuring  attack  surface,   baselining normal,  risk  profiling • Protect – preventing  or  limiting  impact,   patching,  containing,  isolating,  hardening,   managing  access,  vuln remediation • Detect – discovering  events,  triggering  on   anomalies,  hunting  for  intrusions,  security   analytics • Respond – acting  on  events,  eradicating   intrusion  footholds,  assessing  damage,   coordinating  response,  forensics • Recover – returning  to  normal  operations,   restoring  services,  documenting  lessons   learned @sounilyu
#RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Identify Protect Detect Respond R Market  Segments  – Other  Environments 9 Threat Actor Assets Threat Data Intrusion Deception Malware Sandboxes Vendor Assets Cloud  Access Security  Brokers Vendor  Risk Assessments Customer Assets Endpoint  Fraud Detection Device Finger-­‐ printing Device Finger-­‐ printing Web  Fraud Detection Employee Assets BYOD MAM BYOD MDM @sounilyu
#RSAC 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DEVICES Workstations,  servers,  VoIP   phones,  tablets,  IoT,  storage,   network  devices,  infrastructure,  etc. The  software,  interactions,  and   application  flows  on  the  devices The  connections  and  traffic  flowing   among  devices  and  applications The  information  residing  on,   traveling  through,  or  processed by  the  resources  above The  people  using  the resourceslisted  above APPS NETWORKS DATA USERS Security  Technologies  Mapped  by  Asset  Class 10 Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
#RSAC IDENTIFY PROTECT DETECT RESPOND RECOVER Inventorying  assets,   measuring  attack   surface,  baselining normal,  risk  profiling Preventing  or  limiting   impact,  containing,   hardening,  managing   access Discovering  events,   triggering  on   anomalies,  hunting   for  intrusions Acting  on  events,   eradicating  intrusion   footholds,  assessing   damage,   coordinating,   reconstructing   events  forensically Returning  to  normal   operations,  restoring   services,   documenting  lessons   learned Security  Technologies  Mapped  by  Operational   Functions 11 MSSPs  /  IR Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
#RSAC Security  Technologies  by  Asset  Classes  &   Operational  Functions 12 Identify Protect Detect Respond Recover Technology People Process Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. Devices Applications Networks Data Users Degree  of Dependency @sounilyu
#RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Use  Case  1:  Understand  how  products  in  one   area  support  the  capabilities  of  another  area 13 Threat Actor Assets Devices Applications Networks Data Users Identify Protect Detect Respond Recover Enterprise Assets Threat  data  providers  fall   into  this  category… …  and  threat  integration  platforms  consume,   integrate,  and  drive  action  on  threat  data   through  other  products  that  are  in  these   categories @sounilyu
#RSAC Use  Case  2:  Define  Security  Design  Patterns (a.k.a.  Security  Bingo  Card) 14 Identify Protect Detect Respond Recover Technology People Process O O O O O O O O O O O O O O O O O O O O O O O O O Devices Applications Networks Data Users Degree  of Dependency @sounilyu
#RSAC Use  Case  3:  Maximizing  Your  Available   Deployment  Footprint  (What  vs  Where) 15 Devices Applications Networks Data Users Protect RASP WAF Secure Coding What:  Application  Security Anti Malware Malware Sandbox Phishing Awareness Protect What:  Endpoint  Protection Devices Applications Networks Data Users Where Where @sounilyu
#RSAC Use  Case  4:  The  (network)  perimeter  is  dead.   Long  live  (other)  perimeters 16 Devices Applications Networks Data Users Devices Applications Networks Data Users TO FROM Devices Apps Networks Data Users Devices • SSH   Certificates • Client-­‐sideSSL   Cert • Geofencing • Fingerprinting • NAC • Encryption   keys • ? Apps • Server-­‐Side   SSL Cert • API  Key • ? • Encryption   keys • Enhanced SSL   Certificates Networks • 802.1X   Certificate • ? • Firewall  Rules • ? • ? Data • Hashes  /   Checksums • Hashes  /   Checksums • ? • ? • Hashes  /   Checksums Users • User Creds • Biometrics • 2FA • User Creds • Biometrics • 2FA • User Creds • 2FA • User Creds • 2FA • Photo  ID • Handshake FROM TO Reduce/Eliminate  these  perimeters to  make  security  more  usable PROTECT @sounilyu
#RSAC Use  Case  5:  Calculate  Defense-­‐in-­‐Depth 17 Identify Protect Detect Respond Recover 0.25 0.40 0.20 0.64 0.20 0.10 0.10 0.15 0.45 0.15 0.10 0.20 0.39 0.05 0.10 0.20 0.32 0.30 0.10 0.37 0.52 0.36 0.51 0.35 0.46 44 Devices Applications Networks Data Users Defense  in Depth  Score D-­‐in-­‐D  Score (sumof columns and row *100) @sounilyu
#RSAC Use  Case  6:  Understand  how  to  balance your  portfolio  without  breaking  the  bank 18 Identify Protect Detect Respond Recover $50 $100 $50 $200 $50 $100 $50 $100 $300 $100 $100 $50 $250 $50 $50 $50 $150 $50 $50 $100 $200 $200 $250 $150 $200 $1000 Devices Applications Networks Data Users Total Total @sounilyu
#RSAC Use  Case  7:  Anticipate  the  “Effective  Half  Life”   of  People  Skills,  Processes,  and  Technologies 19 Identify Protect Detect Respond Recover Technology People Process 55 3 42 3 53 3 53 3 54 2 55 4 33 3 35 4 33 4 55 1 45 5 21 3 22 3 32 3 45 4 25 5 24 2 25 3 22 2 35 3 55 5 35 4 23 3 43 4 55 5 New  detection  technologies   may  need  to  be  rolled  out   EVERY  TWO  YEARS to  maintain   efficacy  at  50%  or  higher Staff  need  training   EVERY  YEAR to   maintain  efficacy  at   50%  or  higher Devices Applications Networks Data Users Degree  of Dependency @sounilyu
#RSAC Use  Case  8:  Disintermediate  Components  for   Easier  Orchestration 20 010010101001011010 010010100100110111010010010100010110110111 010010100111010101101010100 0100101001011010101010010100101010100100011101 0100101101100100100110010110010 010010101011010 0100101001011011010100101110 010101001011010 100010110110111 010101101010100 010100100011101 100110010110010 010010101011010 Common Message Fabric Vendor   Application   Protection 1011010100101110 Enterprise   Network   Detection Enterprise   Device Response Customer Device Protection Threat  Actor Application Identification Enterprise Network Identification Customer Device Identification Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
#RSAC Devices Applications Networks Data Users Degree  of Dependency Use  Case  9:  Differentiate  between  a platform  and  a  product 21 Identify Protect Detect Respond Recover Technology People Process Product Platform What  makes  a  technology  a  “platform”? 1. Enables  enterprises  to  operate  as   mechanics  and  not  just  chauffeurs 2. Exposes  all  its  functions  through  APIs   for  easier  integration  with  other   technologies  and  capabilities 3. Leverages  data  exchange  standards   that  enable  interchangeable   components @sounilyu
#RSAC Usually  Fighting Against Technology Usually  Fighting Against People Devices Applications Networks Data Users Degree  of Dependency Identify Protect Detect Respond Recover Technology People Process Use  Case  10:  Identifying  Opportunities  to  Accelerate   the  People>Process>Technology  Lifecycle 22 Codified  Into Playbooks  &  Checklists New   Discoveries and War  Stories! Embedded Into Technology @sounilyu
#RSAC ✔✔ ✔✔✔ ✔✔✔✔ ✔✔✔✔ ✔✔ ✔ ✔✔ ✔✔ ✔✔✔ ✔ ✔ ✔✔✔ ✔✔✔ ✔✔✔ ✔✔ Use  Case  11:  Identify  technology  gaps  or   overreliance  in  your  technology  portfolio 23 Identify Protect Detect Respond Recover Technology People Process Devices Applications Networks Data Users Degree  of Dependency @sounilyu
#RSAC Model  Shortfalls:    Where  is  analytics?    GRC?     Orchestration? This  framework  supports  the  higher  level  functions  of  orchestration,  analytics,  and   governance/risk/compliance,   but  they  are  represented  on  a  different  dimension GRC Analytics Orchestration 24@sounilyu
#RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Comparison  of  Models:  Gartner’s  Five  Styles of  Advanced  Threat  Defense 25 Source:  Gartner Time Where  to  Look Real  Time/ Near  Real  Time Post  Compromise (Days/Weeks) Network Payload Endpoint Network  Traffic Analysis Network Forensics Payload Analysis Endpoint  Behavior Analysis Endpoint Forensics Style  2Style  1 Style  5Style  4 Style  3 Enterprise Assets Style  4 Style  1 Style  5 Style  2 Threat Actor Assets Style  3 @sounilyu
#RSAC Applying  the  Cyber  Defense  Matrix 26 This  week Use  the  matrix  to  categorize  vendors  that  you  encounter  in  the  Expo  Hall Ask  them  where  they  fit  and  don’t  allow  them  to  be  in  multiple  shopping   aisles In  the  first  three  months  following  this  presentation  you  should: Send  me  feedback  on  how  you  have  mapped  vendors  to  it Organize  your  portfolio   of  technologies   to  see  where  you  might  have  gaps Identify  vendors  that  may  round  out  your  portfolio   based  on  your  security   design  pattern  (a.k.a.  security  bingo   card) Within  six  months  you  should: Send  me  feedback  on  how  you  used  the  Cyber  Defense  Matrix  and  improved  it @sounilyu
#RSAC Sounil  Yu @sounilyu

Recommended

Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsSounil Yu
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeSounil Yu
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 

Recommended

Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsSounil Yu
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeSounil Yu
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise SecuritySplunk
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilientPrime Infoserv
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWSounil Yu
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
 

More Related Content

What's hot

Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise SecuritySplunk
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilientPrime Infoserv
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWSounil Yu
 

What's hot (20)

Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKW
 

Similar to Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (RSA Conference 2016)

Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleGregory Hanis
 
Summer internship - Cybersecurity
Summer internship - CybersecuritySummer internship - Cybersecurity
Summer internship - CybersecurityAbhilashYadav14
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2SHOLOVE INTERNATIONAL LLC
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vmazfayel
 
Cyber Security: A Hands on review
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on reviewMiltonBiswas8
 
Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptx
Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptxDomain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptx
Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptxInfosectrain3
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Advanced monitoring
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat managementRajendra Menon
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON
 

Similar to Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (RSA Conference 2016) (20)

Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
 
Summer internship - Cybersecurity
Summer internship - CybersecuritySummer internship - Cybersecurity
Summer internship - Cybersecurity
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Information Security 201
Information Security 201Information Security 201
Information Security 201
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm
 
Cyber Security: A Hands on review
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on review
 
Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptx
Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptxDomain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptx
Domain 7 of CEH Mobile Platform, IoT, and OT Hacking.pptx
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat management
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
 

Recently uploaded

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (RSA Conference 2016)

  • 1. SESSION  ID: #RSAC Sounil  Yu Understanding  the  Security   Vendor  Landscape  Using  the   Cyber  Defense  Matrix PDIL-­‐W02F @sounilyu
  • 2. #RSAC Disclaimers 2 The  views,  opinions,  and  positions  expressed  in  this  presentation   are  solely  my  own It  does  not  necessarily  represent  the  views  and  opinions  of  my   employer  and  does  not  constitute  or  imply  any  endorsement   from  or  usage  by  my  employer All  models  are  wrong,  but  some  are  useful -­‐ George  E.  P.  Box @sounilyu
  • 3. #RSAC Our  industry  is  full  of  jargon  terms  that  make it  difficult  to  understand  what  we  are  buying   3 To  accelerate  the  maturity  of  our  practice,  we  need  a  common  language @sounilyu
  • 4. #RSAC Our  common  language  can  be  bounded  by  five  asset   classes  and  the  NIST  Cybersecurity  Framework 4 Operational  FunctionsAsset  Classes DEVICES Workstations,  servers,  VoIP  phones,   tablets,  IoT,  storage,  network   devices,  infrastructure,  etc. The  software,  interactions,  and   application  flows  on  the  devices The  connections  and  traffic  flowing   among  devices  and  applications The  information  residing on,  traveling  through,  or  processed   by  the  resources  above The  people  using  the  resources   listed  above APPS NETWORKS 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DATA USERS IDENTIFY PROTECT DETECT RESPOND RECOVER Inventorying  assets  and  vulns,   measuring  attack  surface,  baselining normal,  risk  profiling Preventing  or  limiting  impact,   patching,  containing,  isolating,   hardening,  managing  access,  vuln remediation Discovering  events,  triggering  on   anomalies,  hunting  for  intrusions,   security  analytics Acting  on  events,  eradicating  intrusion   footholds,  assessing  damage,   coordinating,  reconstructing  events   forensically Returning  to  normal  operations,   restoring  services,  documenting   lessons  learned @sounilyu
  • 5. #RSAC Introducing  the  “Cyber  Defense  Matrix” 5 Devices Applications Networks Data Users Degree  of Dependency Identify Protect Detect Respond Recover Technology People Process @sounilyu
  • 6. #RSAC Left  and  Right  of  “Boom” 6 Identify Protect Detect Respond Recover Technology People Process Pre-­‐Event Structural  Awareness Post-­‐Event Situational  Awareness Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  • 7. #RSAC Enterprise  Security  Market  Segments 7 Identify Protect Detect Respond Recover Technology People Process IAM Endpoint  Visibility  and  Control  / Endpoint  Threat  Detection &  Response Configuration and  Systems Management Data Labeling App  Sec (SAST,  DAST, IAST,  RASP), WAFs Phishing Simulations DDoS Mitigation Insider  Threat  / Behavioral Analytics Network Security (FW,  IPS) DRM Data Encryption, DLP IDS Netflow Full  PCAP AV,  HIPS Deep  Web, Brian  Krebs, FBI Backup Phishing Awareness Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  • 8. #RSAC We  care  about  more  than  just  the  assets  that   are  owned  and  controlled  by  the  enterprise 8 Threat  Actors Vendors Customers Employees Enterprise  Assets • Devices  -­ user  workstations,  servers,   phones,  tablets,  IoT,  peripherals,  storage,   network  devices,  web  cameras,   infrastructure  devices,  etc. • Applications -­ The  software,  interactions,   and  application  flows  on  the  devices • Network -­ The  connections  and  traffic   flowing  among  devices  and  applications • Data -­ The  information  residing on,  traveling  through,  or  processed  by  the   resources  listed  above • Users  – The  people  using  the  resources   listed  above 01001101010110101001 10110101010101101010 Operational  Functions • Identify  – inventorying  assets  and   vulnerabilities,  measuring  attack  surface,   baselining normal,  risk  profiling • Protect – preventing  or  limiting  impact,   patching,  containing,  isolating,  hardening,   managing  access,  vuln remediation • Detect – discovering  events,  triggering  on   anomalies,  hunting  for  intrusions,  security   analytics • Respond – acting  on  events,  eradicating   intrusion  footholds,  assessing  damage,   coordinating  response,  forensics • Recover – returning  to  normal  operations,   restoring  services,  documenting  lessons   learned @sounilyu
  • 9. #RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Identify Protect Detect Respond R Market  Segments  – Other  Environments 9 Threat Actor Assets Threat Data Intrusion Deception Malware Sandboxes Vendor Assets Cloud  Access Security  Brokers Vendor  Risk Assessments Customer Assets Endpoint  Fraud Detection Device Finger-­‐ printing Device Finger-­‐ printing Web  Fraud Detection Employee Assets BYOD MAM BYOD MDM @sounilyu
  • 10. #RSAC 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DEVICES Workstations,  servers,  VoIP   phones,  tablets,  IoT,  storage,   network  devices,  infrastructure,  etc. The  software,  interactions,  and   application  flows  on  the  devices The  connections  and  traffic  flowing   among  devices  and  applications The  information  residing  on,   traveling  through,  or  processed by  the  resources  above The  people  using  the resourceslisted  above APPS NETWORKS DATA USERS Security  Technologies  Mapped  by  Asset  Class 10 Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
  • 11. #RSAC IDENTIFY PROTECT DETECT RESPOND RECOVER Inventorying  assets,   measuring  attack   surface,  baselining normal,  risk  profiling Preventing  or  limiting   impact,  containing,   hardening,  managing   access Discovering  events,   triggering  on   anomalies,  hunting   for  intrusions Acting  on  events,   eradicating  intrusion   footholds,  assessing   damage,   coordinating,   reconstructing   events  forensically Returning  to  normal   operations,  restoring   services,   documenting  lessons   learned Security  Technologies  Mapped  by  Operational   Functions 11 MSSPs  /  IR Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
  • 12. #RSAC Security  Technologies  by  Asset  Classes  &   Operational  Functions 12 Identify Protect Detect Respond Recover Technology People Process Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  • 13. #RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Use  Case  1:  Understand  how  products  in  one   area  support  the  capabilities  of  another  area 13 Threat Actor Assets Devices Applications Networks Data Users Identify Protect Detect Respond Recover Enterprise Assets Threat  data  providers  fall   into  this  category… …  and  threat  integration  platforms  consume,   integrate,  and  drive  action  on  threat  data   through  other  products  that  are  in  these   categories @sounilyu
  • 14. #RSAC Use  Case  2:  Define  Security  Design  Patterns (a.k.a.  Security  Bingo  Card) 14 Identify Protect Detect Respond Recover Technology People Process O O O O O O O O O O O O O O O O O O O O O O O O O Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  • 15. #RSAC Use  Case  3:  Maximizing  Your  Available   Deployment  Footprint  (What  vs  Where) 15 Devices Applications Networks Data Users Protect RASP WAF Secure Coding What:  Application  Security Anti Malware Malware Sandbox Phishing Awareness Protect What:  Endpoint  Protection Devices Applications Networks Data Users Where Where @sounilyu
  • 16. #RSAC Use  Case  4:  The  (network)  perimeter  is  dead.   Long  live  (other)  perimeters 16 Devices Applications Networks Data Users Devices Applications Networks Data Users TO FROM Devices Apps Networks Data Users Devices • SSH   Certificates • Client-­‐sideSSL   Cert • Geofencing • Fingerprinting • NAC • Encryption   keys • ? Apps • Server-­‐Side   SSL Cert • API  Key • ? • Encryption   keys • Enhanced SSL   Certificates Networks • 802.1X   Certificate • ? • Firewall  Rules • ? • ? Data • Hashes  /   Checksums • Hashes  /   Checksums • ? • ? • Hashes  /   Checksums Users • User Creds • Biometrics • 2FA • User Creds • Biometrics • 2FA • User Creds • 2FA • User Creds • 2FA • Photo  ID • Handshake FROM TO Reduce/Eliminate  these  perimeters to  make  security  more  usable PROTECT @sounilyu
  • 17. #RSAC Use  Case  5:  Calculate  Defense-­‐in-­‐Depth 17 Identify Protect Detect Respond Recover 0.25 0.40 0.20 0.64 0.20 0.10 0.10 0.15 0.45 0.15 0.10 0.20 0.39 0.05 0.10 0.20 0.32 0.30 0.10 0.37 0.52 0.36 0.51 0.35 0.46 44 Devices Applications Networks Data Users Defense  in Depth  Score D-­‐in-­‐D  Score (sumof columns and row *100) @sounilyu
  • 18. #RSAC Use  Case  6:  Understand  how  to  balance your  portfolio  without  breaking  the  bank 18 Identify Protect Detect Respond Recover $50 $100 $50 $200 $50 $100 $50 $100 $300 $100 $100 $50 $250 $50 $50 $50 $150 $50 $50 $100 $200 $200 $250 $150 $200 $1000 Devices Applications Networks Data Users Total Total @sounilyu
  • 19. #RSAC Use  Case  7:  Anticipate  the  “Effective  Half  Life”   of  People  Skills,  Processes,  and  Technologies 19 Identify Protect Detect Respond Recover Technology People Process 55 3 42 3 53 3 53 3 54 2 55 4 33 3 35 4 33 4 55 1 45 5 21 3 22 3 32 3 45 4 25 5 24 2 25 3 22 2 35 3 55 5 35 4 23 3 43 4 55 5 New  detection  technologies   may  need  to  be  rolled  out   EVERY  TWO  YEARS to  maintain   efficacy  at  50%  or  higher Staff  need  training   EVERY  YEAR to   maintain  efficacy  at   50%  or  higher Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  • 20. #RSAC Use  Case  8:  Disintermediate  Components  for   Easier  Orchestration 20 010010101001011010 010010100100110111010010010100010110110111 010010100111010101101010100 0100101001011010101010010100101010100100011101 0100101101100100100110010110010 010010101011010 0100101001011011010100101110 010101001011010 100010110110111 010101101010100 010100100011101 100110010110010 010010101011010 Common Message Fabric Vendor   Application   Protection 1011010100101110 Enterprise   Network   Detection Enterprise   Device Response Customer Device Protection Threat  Actor Application Identification Enterprise Network Identification Customer Device Identification Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
  • 21. #RSAC Devices Applications Networks Data Users Degree  of Dependency Use  Case  9:  Differentiate  between  a platform  and  a  product 21 Identify Protect Detect Respond Recover Technology People Process Product Platform What  makes  a  technology  a  “platform”? 1. Enables  enterprises  to  operate  as   mechanics  and  not  just  chauffeurs 2. Exposes  all  its  functions  through  APIs   for  easier  integration  with  other   technologies  and  capabilities 3. Leverages  data  exchange  standards   that  enable  interchangeable   components @sounilyu
  • 22. #RSAC Usually  Fighting Against Technology Usually  Fighting Against People Devices Applications Networks Data Users Degree  of Dependency Identify Protect Detect Respond Recover Technology People Process Use  Case  10:  Identifying  Opportunities  to  Accelerate   the  People>Process>Technology  Lifecycle 22 Codified  Into Playbooks  &  Checklists New   Discoveries and War  Stories! Embedded Into Technology @sounilyu
  • 23. #RSAC ✔✔ ✔✔✔ ✔✔✔✔ ✔✔✔✔ ✔✔ ✔ ✔✔ ✔✔ ✔✔✔ ✔ ✔ ✔✔✔ ✔✔✔ ✔✔✔ ✔✔ Use  Case  11:  Identify  technology  gaps  or   overreliance  in  your  technology  portfolio 23 Identify Protect Detect Respond Recover Technology People Process Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  • 24. #RSAC Model  Shortfalls:    Where  is  analytics?    GRC?     Orchestration? This  framework  supports  the  higher  level  functions  of  orchestration,  analytics,  and   governance/risk/compliance,   but  they  are  represented  on  a  different  dimension GRC Analytics Orchestration 24@sounilyu
  • 25. #RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Comparison  of  Models:  Gartner’s  Five  Styles of  Advanced  Threat  Defense 25 Source:  Gartner Time Where  to  Look Real  Time/ Near  Real  Time Post  Compromise (Days/Weeks) Network Payload Endpoint Network  Traffic Analysis Network Forensics Payload Analysis Endpoint  Behavior Analysis Endpoint Forensics Style  2Style  1 Style  5Style  4 Style  3 Enterprise Assets Style  4 Style  1 Style  5 Style  2 Threat Actor Assets Style  3 @sounilyu
  • 26. #RSAC Applying  the  Cyber  Defense  Matrix 26 This  week Use  the  matrix  to  categorize  vendors  that  you  encounter  in  the  Expo  Hall Ask  them  where  they  fit  and  don’t  allow  them  to  be  in  multiple  shopping   aisles In  the  first  three  months  following  this  presentation  you  should: Send  me  feedback  on  how  you  have  mapped  vendors  to  it Organize  your  portfolio   of  technologies   to  see  where  you  might  have  gaps Identify  vendors  that  may  round  out  your  portfolio   based  on  your  security   design  pattern  (a.k.a.  security  bingo   card) Within  six  months  you  should: Send  me  feedback  on  how  you  used  the  Cyber  Defense  Matrix  and  improved  it @sounilyu

Editor's Notes

  1. Approaching this from a practitioner’s view. If the market is a representation of our needs, then what are we actually seeing in the market and how does that fit into any models that we have? Common language = Klingon 101. Think of this as Klingon 201 or 301. Mention that this is intended to be shareable, you can take pictures, you can reference me, but you can’t reference Bank of America
  2. Mention the difficulties of distinguishing between - Identify and Detect - What is protected vs where that protection is applied.
  3. Our understanding of Threat Actor assets enables our ability to protect our internal assets and detect intrusions
  4. Are there inefficiencies when what it does isn’t where it does it? Can we make tradeoffs to optimize our footprint and not overwhelm one part of it (e.g., endpoint)
  5. Talk about functional decomposition