The Cyber Defense Matrix helps people organize and understand gaps in their overall security program. These slides describe several additional use cases of the Cyber Defense Matrix, including how to map the latest startup vendors and security trends, anticipate gaps, develop program roadmaps, capture metrics, reconcile inventories, improve situational awareness, and create a board-level view of their entire program.
See the 2016 version at: http://bit.ly/cyberdefensematrix
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded
4. #RSAC
@sounilyu
One simple way to organize these buzzwords is by
aligning them against five asset classes and the NIST CSF
4
Operational Functions
Inventorying assets and vulns,
measuring attack surface,
prioritizing, baselining normal,
threat modeling, risk assessment
Preventing or limiting impact,
patching, containing, isolating,
hardening, managing access,
vuln remediation
Discovering events, triggering on
anomalies, hunting for
intrusions, security analytics
Acting on events, eradicating
intrusion, assessing damage,
forensic reconstruction
Returning to normal operations,
restoring services, documenting
lessons learned, resiliency
Asset Classes
Workstations, servers,
phones, tablets, storage,
network devices, IoT
infrastructure, etc.
Software, interactions,
and application flows on
the devices
Connections and traffic
flowing among devices
and apps
Information at rest, in
transit, or in use by the
resources above
The people using the
resources listed above
10011101010101010010
01001101010110101001
11010101101011010100
10110101010101101010
DEVICES
APPS
NETWORKS
DATA
USERS
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
5. #RSAC
@sounilyu
The Cyber Defense Matrix
5
Operational Functions
Inventorying assets and vulns,
measuring attack surface,
prioritizing, baselining normal,
threat modeling, risk assessment
Preventing or limiting impact,
patching, containing, isolating,
hardening, managing access,
vuln remediation
Discovering events, triggering on
anomalies, hunting for
intrusions, security analytics
Acting on events, eradicating
intrusion, assessing damage,
forensic reconstruction
Returning to normal operations,
restoring services, documenting
lessons learned, resiliency
Asset Classes
Workstations, servers,
phones, tablets, storage,
network devices, IoT
infrastructure, etc.
Software, interactions,
and application flows on
the devices
Connections and traffic
flowing among devices
and apps
Information at rest, in
transit, or in use by the
resources above
The people using the
resources listed above
10011101010101010010
01001101010110101001
11010101101011010100
10110101010101101010
DEVICES
APPS
NETWORKS
DATA
USERS
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology
People
Process
Identify Protect Detect Respond Recover
6. #RSAC
@sounilyu
Aligning the buzzwords against
the Cyber Defense Matrix…
6
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology
People
Process
Identify Protect Detect Respond Recover
7. #RSAC
@sounilyu
…can help bring some order to the chaos…
7
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology
People
Process
Identify Protect Detect Respond Recover
Asset Mgt,
Vuln Scanning,
Vuln Mgt,
Certificate Mgt
AV, Anti-Malware,
EPP, FIM, HIPS,
Whitelisting,
Patch Mgt
Endpoint
Detection,
UEBA, XDR
EP Response,
EP Forensics
SAST, DAST,
SW Asset Mgt,
Fuzzers
RASP, WAF,
ZT App Access
Source Code
Compromise, Logic
Bomb Discovery,
App IDS, XDR
Netflow,
Network Vuln
Scanner
FW, IPS/IDS,
Microseg, ESG,
SWG, ZTNA
DDoS Detection,
Net Traf Analysis,
UEBA, XDR
DDoS Response,
NW Forensics
Data Audit,
Discovery,
Classification
Encryption,
Tokenization,
DLP, DRM, DBAM,
DB Access Proxy
Deep Web, Data
Behavior Analytics,
FBI, Brian Krebs,
XDR
DRM,
Breach Response Backup
Phishing Sim,
Background Chk,
MFA
Security
Training &
Awareness
Insider Threat,
User Behavior
Analytics, XDR
8. #RSAC
@sounilyu
…and help you understand what some of these
vendors do! (sorry, this slide is really out of date)
8
Identify Protect Detect Respond Recover
Technology
People
Process
Devices
Applications
Networks
Data
Users
Degree of
Dependency
9. #RSAC
@sounilyu
Use Cases of the Cyber Defense Matrix…
9
Primary Use Case: Vendor Mapping
Differentiating Primary &
Supporting Capabilities
Defining Security
Design Patterns
Maximizing
Deployment Footprint
Understanding the
New Perimeter
Calculating
Defense-in-Breadth
Balancing Your
Portfolio Budget
Planning for
Obsolescence
Disintermediating
Security Components
Comparing Point
Products vs Platforms
Finding Opportunities
for Automation
Identifying Gaps in
People, Process, Tech
https://bit.ly/cyberdefensematrix
10. #RSAC
@sounilyu
Other Use Cases of the Cyber Defense Matrix…
10
https://bit.ly/cyberdefensematrixreloaded
Optimizing Budgets and
Resource Allocation
Mapping Organizational
Handoffs
Aligning Roles and
Responsibilities
Understanding Why
Products are Not Used
Visualizing Attack
Surfaces
Aligning Generalized
vs Specialized Needs
Measurements and
Metrics
Business Aligned
Security Patterns
Vuln Scan vs PenTest
vs BAS vs Red Team
Mapping Zero Trust
Capabilities
Mapping to the
Kill Chain
Mapping to
MITRE ATT&CK
11. #RSAC
@sounilyu
Remember Left and Right of Boom
11
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology
People
Process
Identify Protect Detect Respond Recover
Structural Awareness
•Occuring pre-event
•Gathers information about state
•Discovering weaknesses from
vulnerability assessments
•Baselining expected behaviors
and interactions
•Conducting risk management
Situational Awareness
• Occurring post-event
• Gathering information about events and activity
• Discovering evidence of vulnerability
exploitation and investigating
• Triggering on unexpected state
or behavioral changes
• Conducting event and incident management
14. #RSAC
@sounilyu
Use Case 22: Measurement Health
14
HARD
EASY
RELATIVE
DIFFICULTY
Performance
How well does the capability work?
B 96%
Efficiency
How cost effective is the capability?
A $$
Presence
Does the capability exist?
E
Coverage
Is the capability enabled?
D
Utilization
Are all available features enabled?
C
0.25 0.40 0.20
0.20 0.10 0.10 0.15
0.15 0.10 0.20
0.05 0.10 0.20
0.30 0.10
Identify Protect Detect Respond Recover
Devices
Apps
Networks
Data
Users
$50 $100 $50
$50 $100 $50 $100
$100 $100 $50
$50 $50 $50
$50 $50
Identify Protect Detect Respond Recover
Devices
Apps
Networks
Data
Users
E B D E F
C B B E F
A A E F E
E B B F E
D C F E F
Identify Protect Detect Respond Recover
Devices
Apps
Networks
Data
Users
15. #RSAC
@sounilyu
Use Case 23: Developing a roadmap
15
Grocery
Layer 1: Recipes
Proven Practices, Frameworks,
Reference Architectures
Layer 2: Pantry
Current State
Capabilities
Layer 3: Market
Commercial Options,
Art of the Possible
Business/Mission/Technology
Constraints, Exceptions
Layer 5: Nutritional Needs
Risks, Attack Surfaces, Threat
Environment
The “Stack”
Combined
Matrices
Nutritional and
Dietary Needs
Foundation
Cyber Defense Matrix
Layer 4: Allergies
Allergies and
Dietary Restrictions
Pantry
16. #RSAC
@sounilyu
Use Case 23: Constructing a roadmap
16
How secure
am I?
How secure
should I be?
How do I get
there?
Existing
Capabilities
(Pantry)
Best Practices,
Architectures
(Recipes)
Risks
(Nutritional
Needs)
Prospective
Capabilities
(Market)
Mission/Business/Tech
Constraints (Allergies/
Dietary Restrictions)
17. #RSAC
@sounilyu
Use Case 23: Interpreting the roadmap
17
Opportunities
to innovate
Table stakes /
Just do it
Risk Management Discussion:
• Active attacks underway
• Regulatory requirement
• Capabilities are available...
• … but controls create major
mission impact
Opportunities
to deprecate
or capture
best practice
Risk Management Discussion:
• Active attacks underway
• No regulatory requirement
• Capabilities are available...
• … but controls create minor mission impact
Architectural Requirements
Existing Capabilities
Commercial Capabilities
Attack Surfaces
Business/Mission Constraints
18. #RSAC
@sounilyu
Use Case 24: Board Level View
18
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology
People
Process
Identify Protect Detect Respond Recover
Sufficient
Controls
Initiatives
Underway
Additional Effort
Required
No Attack
Surface
19. #RSAC
@sounilyu
Use Case 25: Seeing gaps and opportunities
19
Identify Protect Detect Respond Recover
Technology
People
Process
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
Devices
Applications
Networks
Data
Users
Degree of
Dependency
20. #RSAC
@sounilyu
Use Case 25: Seeing gaps and opportunities
20
Identify Protect Detect Respond Recover
Technology
People
Process
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
Devices
Applications
Networks
Data
Users
Degree of
Dependency
21. #RSAC
@sounilyu
Use Case 25: Seeing gaps and opportunities
21
Identify Protect Detect Respond Recover
Technology
People
Process
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z
Devices
Applications
Networks
Data
Users
Degree of
Dependency
22. #RSAC
@sounilyu
Use Case 26: Improving Situational Awareness
22
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology
People
Process
Identify Protect Detect Respond Recover
Post-Event
Situational Awareness
Pre-Event
Structural Awareness
23. #RSAC
@sounilyu
Use Case 26: Improving Situational Awareness
23
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology
People
Process
Identify Protect Detect Respond Recover
Contextual
Awareness
Environmental
Awareness
Contextual
Awareness
Environmental
Awareness
24. #RSAC
@sounilyu
Use Case 26: Improving Situational Awareness
24
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology
People
Process
Identify Protect Detect Respond Recover
Contextual
Awareness
Environmental
Awareness
Contextual
Awareness
Environmental
Awareness
Structural
Awareness
Situational
Awareness
25. #RSAC
@sounilyu
Use Case 26: Improving Situational Awareness
25
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology
People
Process
Identify Protect Detect Respond Recover
Contextual
Awareness
Environmental
Awareness
Structural
Awareness
Situational
Awareness
26. #RSAC
@sounilyu
Use Case 26: Improving Situational Awareness
26
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology People
Process
Identify Protect Detect Respond Recover
Endpoint
acting funny
Situational: Machine compromised
due to malware installed through
client-side attack
Contextual: User clicked
on a spear phishing email
Environmental:
User of endpoint
failed last phishing
simulation test
Structural: Fully patched,
locked down endpoint,
2FA enabled
Environmental:
Training and awareness
not complete
27. #RSAC
@sounilyu
Use Case 26: Improving Situational Awareness
27
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology People
Process
Identify Protect Detect Respond Recover
Contextual: No unusual logins
or interactions with server
Structural: Data
is encrypted
DLP alerts
firing off
Environmental: Content originated from server housing
sensitive blueprints for new product
Environmental:
New B2B connection
made with a Chinese
manufacturing plant
Environmental: Regular
user of server aligned
to new China project
Situational: Probably normal
business activity
Did user get
phished?
28. #RSAC
@sounilyu
Use Case 27: Mapping Training
28
Identify Protect Detect Respond Recover
Technology
People
Process
Devices
Applications
Networks
Data
Users
Degree of
Dependency
SEC505: Securing Windows and
PowerShell Automation
SEC503: Intrusion Detection In-
Depth
SEC617: Wireless Penetration
Testing and Ethical Hacking
SEC542: Web App Penetration
Testing and Ethical Hacking
SEC567: Social Engineering for
Penetration Testers
SEC599: Defeating Advanced
Adversaries - Purple Team Tactics
& Kill Chain Defenses
DEV543: Secure C/C++ Coding
FOR500: Windows Forensic
Analysis
SEC460: Enterprise Threat and
Vulnerability Assessment
FOR572: Advanced Network
Forensics: Threat Hunting,
Analysis & Incident Response
SEC504: Hacker Tools,
Techniques, Exploits, and
Incident Handling
SEC504: Hacker Tools,
Techniques, Exploits, and
Incident Handling
SEC504: Hacker Tools,
Techniques, Exploits, and
Incident Handling
SEC504: Hacker Tools,
Techniques, Exploits, and
Incident Handling
SEC530: Defensible Security
Architecture and Engineering
SEC530: Defensible Security
Architecture and Engineering
SEC530: Defensible Security
Architecture and Engineering
SEC450: Blue Team
Fundamentals: Security
Operations and Analysis
SEC450: Blue Team
Fundamentals: Security
Operations and Analysis
SEC460: Enterprise Threat and
Vulnerability Assessment
SEC506: Securing Linux/Unix
SEC534: Secure DevOps: A
Practical Introduction
29. #RSAC
@sounilyu
Use Case 28: Mapping Cloud (IaaS/PaaS) Security
29
Identify Protect
Cloud Security Posture
Management
(CSPM)
Cloud Workload Protection
Platform (CWPP)
Devices
(containers, compute, hosts)
Applications
(microservices, serverless)
Networks
(VPC, VPN, CDN, DNS)
Data
(datastores, databases, files)
Users
(accounts, user roles)
CSPM
IAM Configuration
PaaS Configuration
Network Configuration
Storage Configuration
CWPP
Cloud Workload Protection Platform
CWPP CWPP CWPP
CWPP CWPP
Cloud-Native
Security
Services
ADC, LB, WAF,
DoS, FW, etc.
Control Plane
Data Plane
Source: Gartner Market Guide for Cloud Workload
Protection Platforms, 2020 (slightly modified)
CIEM
30. #RSAC
@sounilyu
Use Case 29: Mapping Control Failures
30
1. No asset inventory (CSC01)
2. No software inventory (CSC02)
3. No file integrity monitoring
4. No network segmentation
5. Neglected SSL Inspection (SSLV) Appliance
6. Neglected SSLV failed open
7. SSLV lacked certs for key systems
8. SAST failed to find Struts due to misconfig
9. No anomaly detection on web servers
10. Custom snort rule didn’t work
11. Custom snort rule wasn’t tested
12. Network scanner didn’t find Struts
13. Failed to detect webshells
14. Failed to detect interactive activity
15. Admins stored cleartext creds in open shares
16. Least privilege principles not followed for database
access
17. DB adhoc queries restrictions not implemented
18. No DB anomaly monitoring
19. No field-level encryption in DBs
20. No data exfiltration detection
21. DAST scanning failed to detect vulns
22. Ineffective IR plan/procedures
23. No owners assigned to apps or DBs
24. Comms issues due to corp structure
25. Lack of accountability in processes
26. Patching remediation lacked follow up
27. Old audit findings were not addressed
28. Insecure NFS configs
29. Logs retained for less than 30 days
32. #RSAC
@sounilyu
Use Case 29: Mapping Control Failures
Courtesy of Adrian Sanabria (@sawaba)
32
1, 12 26, 28 29
2, 8, 21, 23 26 3, 9, 13, 14
4, 5, 6, 7, 16 10, 11, 20
15, 23 16, 17, 19 17, 18, 20
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology People
Process
Identify Protect Detect Respond Recover
People Oriented
Control Failure
Process Oriented
Control Failure
Tech Oriented
Control Failure
1, 12 26, 28 29
2, 8, 21, 23 26 3, 9, 13, 14
4, 5, 6, 7, 16 10, 11, 20
15, 23 16, 17, 19 17, 18, 20
33. #RSAC
@sounilyu
Use Case 30: Reconciling Inventories
33
With modifications from original source: https://www.philvenables.com/post/taking-inventories-to-the-next-level-reconciliation-and-triangulation
• Enable inventory reconciliation
using a multi-domain approach
using the five asset classes of the
Cyber Defense Matrix
• Drive better data quality by
creating “fast lanes” for security
approvals if inventories are up-
to-date
Authorized data
sources can only go
to approved vendors
from approved
applications
Applications must run
on known systems or
be contained in
authorized container
registries
All employees
must have a
direct manager
All data associated
with Internet facing
applications must
be classified/
tagged
Data owners must
formally hold that
role and be part of
the organization
accountable
for that data
Vendor
Inventory
Application
Inventory
Device
Inventory
Network
Inventory
Data
Catalog
User
Directory
Role
Directory
34. #RSAC
@sounilyu
“Apply” Slide
34
Map your security organization to the Cyber Defense Matrix
Try out the use cases described here, in the previous briefings,
and in the Cyber Defense Matrix book
Develop a new use case for the Cyber Defense Matrix
Share the new use case with the community!
This will be the third and final installment of the Cyber Defense Matrix (CDM) as a standalone presentation. The previous two occurred in 2016 and 2019, so this would be well placed with 3 years of spacing in between.
In this last installment, I plan to share more new use cases of the CDM including:
How threat hunters can methodically gain increasing levels of situational awareness
How planners can anticipate erosion of controls and budget for training and technology refreshes
How governance teams can build a metrics and measurements program starting with the CIS Controls Assessment Specification (which is already mapped to the CDM)
How application security teams can align security functions into the CI/CD pipeline, DevOps, and the Agile methodology
How practitioners can evaluate how thoroughly they have covered their cloud security needs
How entrepreneurs and VCs can find new market opportunities and adjacencies to existing products
How vulnerability management teams can prioritize vulnerabilities better when they have a more complete view in context with other assets and mitigating controls
How CISOs can develop their security program roadmap
How the CDM enables a multi-domain approach for inventory and reconciliation
How CISOs can leverage the CDM in board briefings to convey a complete view of their entire security program in one slide
I will start the session by giving a quick overview of the CDM, showing how we can do the standard mapping of security vendors to the CDM, quickly point out the 20 other use cases previously shown in the 2016 and 2019 briefings, and then launch into the new use cases that I've described. I'll wrap up by mentioning the Learning Lab if people want to learn more.