The Cyber Defense Matrix enables organizations to define clear categories for the range of products and services that are available in the marketplace to solve our various infosec problems. This model removes confusion around the security technologies that we buy and helps organizations align their vendors to have the right suite of capabilities to execute their information security mission.
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded
See the 2022 version at: http://bit.ly/cyberdefensematrixrevolutions
2. #RSAC
Disclaimers
2
The
views,
opinions,
and
positions
expressed
in
this
presentation
are
solely
my
own
It
does
not
necessarily
represent
the
views
and
opinions
of
my
employer
and
does
not
constitute
or
imply
any
endorsement
from
or
usage
by
my
employer
All
models
are
wrong,
but
some
are
useful
-‐ George
E.
P.
Box
@sounilyu
3. #RSAC
Our
industry
is
full
of
jargon
terms
that
make
it
difficult
to
understand
what
we
are
buying
3
To
accelerate
the
maturity
of
our
practice,
we
need
a
common
language
@sounilyu
4. #RSAC
Our
common
language
can
be
bounded
by
five
asset
classes
and
the
NIST
Cybersecurity
Framework
4
Operational FunctionsAsset Classes
DEVICES Workstations, servers, VoIP phones,
tablets, IoT, storage, network
devices, infrastructure, etc.
The software, interactions, and
application flows on the devices
The connections and traffic flowing
among devices and applications
The information residing
on, traveling through, or processed
by the resources above
The people using the resources
listed above
APPS
NETWORKS
10011101010101010010
01001101010110101001
11010101101011010100
10110101010101101010
DATA
USERS
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Inventorying assets and vulns,
measuring attack surface, baselining
normal, risk profiling
Preventing or limiting impact,
patching, containing, isolating,
hardening, managing access, vuln
remediation
Discovering events, triggering on
anomalies, hunting for intrusions,
security analytics
Acting on events, eradicating intrusion
footholds, assessing damage,
coordinating, reconstructing events
forensically
Returning to normal operations,
restoring services, documenting
lessons learned
@sounilyu
5. #RSAC
Introducing
the
“Cyber
Defense
Matrix”
5
Devices
Applications
Networks
Data
Users
Degree
of
Dependency
Identify Protect Detect Respond Recover
Technology People
Process
@sounilyu
6. #RSAC
Left
and
Right
of
“Boom”
6
Identify Protect Detect Respond Recover
Technology People
Process
Pre-‐Event
Structural
Awareness
Post-‐Event
Situational
Awareness
Devices
Applications
Networks
Data
Users
Degree
of
Dependency
@sounilyu
7. #RSAC
Enterprise
Security
Market
Segments
7
Identify Protect Detect Respond Recover
Technology People
Process
IAM Endpoint
Visibility
and
Control
/
Endpoint
Threat
Detection
&
Response
Configuration
and
Systems
Management
Data
Labeling
App
Sec
(SAST,
DAST,
IAST,
RASP),
WAFs
Phishing
Simulations
DDoS Mitigation
Insider
Threat
/
Behavioral
Analytics
Network
Security
(FW,
IPS)
DRM
Data
Encryption,
DLP
IDS
Netflow
Full
PCAP
AV,
HIPS
Deep
Web,
Brian
Krebs,
FBI
Backup
Phishing
Awareness
Devices
Applications
Networks
Data
Users
Degree
of
Dependency
@sounilyu
8. #RSAC
We
care
about
more
than
just
the
assets
that
are
owned
and
controlled
by
the
enterprise
8
Threat Actors
Vendors
Customers
Employees
Enterprise Assets
• Devices - user workstations, servers,
phones, tablets, IoT, peripherals, storage,
network devices, web cameras,
infrastructure devices, etc.
• Applications - The software, interactions,
and application flows on the devices
• Network - The connections and traffic
flowing among devices and applications
• Data - The information residing
on, traveling through, or processed by the
resources listed above
• Users – The people using the resources
listed above
01001101010110101001
10110101010101101010
Operational Functions
• Identify – inventorying assets and
vulnerabilities, measuring attack surface,
baselining normal, risk profiling
• Protect – preventing or limiting impact,
patching, containing, isolating, hardening,
managing access, vuln remediation
• Detect – discovering events, triggering on
anomalies, hunting for intrusions, security
analytics
• Respond – acting on events, eradicating
intrusion footholds, assessing damage,
coordinating response, forensics
• Recover – returning to normal operations,
restoring services, documenting lessons
learned
@sounilyu
9. #RSAC
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Devices
Applications
Networks
Identify Protect Detect Respond R
Market
Segments
– Other
Environments
9
Threat Actor Assets
Threat
Data
Intrusion
Deception
Malware
Sandboxes
Vendor Assets
Cloud
Access
Security
Brokers
Vendor
Risk
Assessments
Customer Assets
Endpoint
Fraud
Detection
Device
Finger-‐
printing
Device
Finger-‐
printing
Web
Fraud
Detection
Employee Assets
BYOD
MAM
BYOD
MDM
@sounilyu
10. #RSAC
10011101010101010010
01001101010110101001
11010101101011010100
10110101010101101010
DEVICES
Workstations, servers, VoIP
phones, tablets, IoT, storage,
network devices, infrastructure, etc.
The software, interactions, and
application flows on the devices
The connections and traffic flowing
among devices and applications
The information residing on,
traveling through, or processed
by the resources above
The people using the
resourceslisted above
APPS
NETWORKS
DATA
USERS
Security
Technologies
Mapped
by
Asset
Class
10
Disclaimer:
Vendors
shown
are
representative
only.
No
usage
or
endorsement
should
be
construed
because
they
are
shown
here.
@sounilyu
11. #RSAC
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Inventorying assets,
measuring attack
surface, baselining
normal, risk profiling
Preventing or limiting
impact, containing,
hardening, managing
access
Discovering events,
triggering on
anomalies, hunting
for intrusions
Acting on events,
eradicating intrusion
footholds, assessing
damage,
coordinating,
reconstructing
events forensically
Returning to normal
operations, restoring
services,
documenting lessons
learned
Security
Technologies
Mapped
by
Operational
Functions
11
MSSPs / IR
Disclaimer:
Vendors
shown
are
representative
only.
No
usage
or
endorsement
should
be
construed
because
they
are
shown
here.
@sounilyu
12. #RSAC
Security
Technologies
by
Asset
Classes
&
Operational
Functions
12
Identify Protect Detect Respond Recover
Technology People
Process
Disclaimer:
Vendors
shown
are
representative
only.
No
usage
or
endorsement
should
be
construed
because
they
are
shown
here.
Devices
Applications
Networks
Data
Users
Degree
of
Dependency
@sounilyu
13. #RSAC
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Use
Case
1:
Understand
how
products
in
one
area
support
the
capabilities
of
another
area
13
Threat Actor Assets
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Enterprise Assets
Threat
data
providers
fall
into
this
category…
…
and
threat
integration
platforms
consume,
integrate,
and
drive
action
on
threat
data
through
other
products
that
are
in
these
categories
@sounilyu
14. #RSAC
Use
Case
2:
Define
Security
Design
Patterns
(a.k.a.
Security
Bingo
Card)
14
Identify Protect Detect Respond Recover
Technology People
Process
O O O O O
O O O O O
O O O O O
O O O O O
O O O O O
Devices
Applications
Networks
Data
Users
Degree
of
Dependency
@sounilyu
15. #RSAC
Use
Case
3:
Maximizing
Your
Available
Deployment
Footprint
(What
vs
Where)
15
Devices
Applications
Networks
Data
Users
Protect
RASP
WAF
Secure
Coding
What:
Application
Security
Anti
Malware
Malware
Sandbox
Phishing
Awareness
Protect
What:
Endpoint
Protection
Devices
Applications
Networks
Data
Users
Where Where
@sounilyu
16. #RSAC
Use
Case
4:
The
(network)
perimeter
is
dead.
Long
live
(other)
perimeters
16
Devices
Applications
Networks
Data
Users
Devices
Applications
Networks
Data
Users
TO
FROM
Devices Apps Networks Data Users
Devices
• SSH
Certificates
• Client-‐sideSSL
Cert
• Geofencing
• Fingerprinting
• NAC • Encryption
keys
• ?
Apps
• Server-‐Side
SSL Cert
• API
Key • ? • Encryption
keys
• Enhanced SSL
Certificates
Networks
• 802.1X
Certificate
• ? • Firewall
Rules • ? • ?
Data
• Hashes
/
Checksums
• Hashes
/
Checksums
• ? • ? • Hashes
/
Checksums
Users
• User Creds
• Biometrics
• 2FA
• User Creds
• Biometrics
• 2FA
• User Creds
• 2FA
• User Creds
• 2FA
• Photo
ID
• Handshake
FROM TO
Reduce/Eliminate
these
perimeters
to
make
security
more
usable
PROTECT
@sounilyu
18. #RSAC
Use
Case
6:
Understand
how
to
balance
your
portfolio
without
breaking
the
bank
18
Identify Protect Detect Respond Recover
$50 $100 $50 $200
$50 $100 $50 $100 $300
$100 $100 $50 $250
$50 $50 $50 $150
$50 $50 $100
$200 $200 $250 $150 $200 $1000
Devices
Applications
Networks
Data
Users
Total
Total
@sounilyu
19. #RSAC
Use
Case
7:
Anticipate
the
“Effective
Half
Life”
of
People
Skills,
Processes,
and
Technologies
19
Identify Protect Detect Respond Recover
Technology People
Process
55 3
42 3
53 3
53 3
54 2
55 4
33 3
35 4
33 4
55 1
45 5
21 3
22 3
32 3
45 4
25 5
24 2
25 3
22 2
35 3
55 5
35 4
23 3
43 4
55 5
New
detection
technologies
may
need
to
be
rolled
out
EVERY
TWO
YEARS to
maintain
efficacy
at
50%
or
higher
Staff
need
training
EVERY
YEAR to
maintain
efficacy
at
50%
or
higher
Devices
Applications
Networks
Data
Users
Degree
of
Dependency
@sounilyu
20. #RSAC
Use
Case
8:
Disintermediate
Components
for
Easier
Orchestration
20
010010101001011010
010010100100110111010010010100010110110111
010010100111010101101010100
0100101001011010101010010100101010100100011101
0100101101100100100110010110010
010010101011010
0100101001011011010100101110
010101001011010
100010110110111
010101101010100
010100100011101
100110010110010
010010101011010
Common
Message
Fabric
Vendor
Application
Protection
1011010100101110
Enterprise
Network
Detection
Enterprise
Device
Response
Customer
Device
Protection
Threat Actor
Application
Identification
Enterprise
Network
Identification
Customer
Device
Identification
Disclaimer:
Vendors
shown
are
representative
only.
No
usage
or
endorsement
should
be
construed
because
they
are
shown
here.
@sounilyu
21. #RSAC
Devices
Applications
Networks
Data
Users
Degree
of
Dependency
Use
Case
9:
Differentiate
between
a
platform
and
a
product
21
Identify Protect Detect Respond Recover
Technology People
Process
Product
Platform
What
makes
a
technology
a
“platform”?
1. Enables
enterprises
to
operate
as
mechanics
and
not
just
chauffeurs
2. Exposes
all
its
functions
through
APIs
for
easier
integration
with
other
technologies
and
capabilities
3. Leverages
data
exchange
standards
that
enable
interchangeable
components
@sounilyu
22. #RSAC
Usually
Fighting
Against Technology
Usually
Fighting
Against People
Devices
Applications
Networks
Data
Users
Degree
of
Dependency
Identify Protect Detect Respond Recover
Technology People
Process
Use
Case
10:
Identifying
Opportunities
to
Accelerate
the
People>Process>Technology
Lifecycle
22
Codified
Into
Playbooks
&
Checklists
New
Discoveries
and
War
Stories!
Embedded
Into
Technology
@sounilyu
23. #RSAC
✔✔ ✔✔✔ ✔✔✔✔ ✔✔✔✔
✔✔ ✔
✔✔ ✔✔ ✔✔✔ ✔
✔ ✔✔✔
✔✔✔ ✔✔✔ ✔✔
Use
Case
11:
Identify
technology
gaps
or
overreliance
in
your
technology
portfolio
23
Identify Protect Detect Respond Recover
Technology
People
Process
Devices
Applications
Networks
Data
Users
Degree
of
Dependency
@sounilyu
24. #RSAC
Model
Shortfalls:
Where
is
analytics?
GRC?
Orchestration?
This
framework
supports
the
higher
level
functions
of
orchestration,
analytics,
and
governance/risk/compliance,
but
they
are
represented
on
a
different
dimension
GRC
Analytics
Orchestration
24@sounilyu
25. #RSAC
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Comparison
of
Models:
Gartner’s
Five
Styles
of
Advanced
Threat
Defense
25
Source:
Gartner
Time
Where
to
Look
Real
Time/
Near
Real
Time
Post
Compromise
(Days/Weeks)
Network
Payload
Endpoint
Network
Traffic
Analysis
Network
Forensics
Payload
Analysis
Endpoint
Behavior
Analysis
Endpoint
Forensics
Style
2Style
1
Style
5Style
4
Style
3
Enterprise Assets
Style
4
Style
1
Style
5
Style
2
Threat Actor
Assets
Style
3
@sounilyu
26. #RSAC
Applying
the
Cyber
Defense
Matrix
26
This
week
Use
the
matrix
to
categorize
vendors
that
you
encounter
in
the
Expo
Hall
Ask
them
where
they
fit
and
don’t
allow
them
to
be
in
multiple
shopping
aisles
In
the
first
three
months
following
this
presentation
you
should:
Send
me
feedback
on
how
you
have
mapped
vendors
to
it
Organize
your
portfolio
of
technologies
to
see
where
you
might
have
gaps
Identify
vendors
that
may
round
out
your
portfolio
based
on
your
security
design
pattern
(a.k.a.
security
bingo
card)
Within
six
months
you
should:
Send
me
feedback
on
how
you
used
the
Cyber
Defense
Matrix
and
improved
it
@sounilyu
Approaching this from a practitioner’s view. If the market is a representation of our needs, then what are we actually seeing in the market and how does that fit into any models that we have?
Common language = Klingon 101. Think of this as Klingon 201 or 301.
Mention that this is intended to be shareable, you can take pictures, you can reference me, but you can’t reference Bank of America
Mention the difficulties of distinguishing between
- Identify and Detect
- What is protected vs where that protection is applied.
Our understanding of Threat Actor assets enables our ability to protect our internal assets and detect intrusions
Are there inefficiencies when what it does isn’t where it does it?
Can we make tradeoffs to optimize our footprint and not overwhelm one part of it (e.g., endpoint)