SlideShare a Scribd company logo
1 of 35
#RSAC
SESSION ID:
Sounil Yu
The Cyber Defense Matrix, Reloaded
STR-T09
@sounilyu
#RSAC
#RSAC
Vendors shown are representative only
No usage or endorsement should be construed because they are
shown here
Opinions are my own and do not represent those of my employer
Disclaimers
@sounilyu 3
All models are wrong, but some are useful
- George E. P. Box
…and some models are measurably more useful
- Doug Hubbard
#RSAC
Background on the Cyber Defense Matrix
@sounilyu 4
#RSAC
Background on the Cyber Defense Matrix
@sounilyu 5
Operational Functions
Inventorying assets and vulns,
measuring attack surface,
prioritizing, baselining normal,
threat modeling, risk assessment
Preventing or limiting impact,
patching, containing, isolating,
hardening, managing access,
vuln remediation
Discovering events, triggering on
anomalies, hunting for
intrusions, security analytics
Acting on events, eradicating
intrusion, assessing damage,
forensic reconstruction
Returning to normal operations,
restoring services, documenting
lessons learned, resiliency
Asset Classes
Workstations, servers,
phones, tablets, storage,
network devices, IoT
infrastructure, etc.
Software, interactions,
and application flows on
the devices
Connections and traffic
flowing among devices
and apps
Information at rest, in
transit, or in use by the
resources above
The people using the
resources listed above
10011101010101010010
01001101010110101001
11010101101011010100
10110101010101101010
DEVICES
APPS
NETWORKS
DATA
USERS
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
#RSAC
The Cyber Defense Matrix
@sounilyu 6
Operational Functions
Inventorying assets and vulns,
measuring attack surface,
prioritizing, baselining normal,
threat modeling, risk assessment
Preventing or limiting impact,
patching, containing, isolating,
hardening, managing access,
vuln remediation
Discovering events, triggering on
anomalies, hunting for
intrusions, security analytics
Acting on events, eradicating
intrusion, assessing damage,
forensic reconstruction
Returning to normal operations,
restoring services, documenting
lessons learned, resiliency
Asset Classes
Workstations, servers,
phones, tablets, storage,
network devices,IoT
infrastructure, etc.
Software, interactions,
and application flows on
the devices
Connections and traffic
flowing among devices
and apps
Information at rest, in
transit, or in use by the
resources above
The people using the
resources listed above
10011101010101010010
01001101010110101001
11010101101011010100
10110101010101101010
DEVICES
APPS
NETWORKS
DATA
USERS
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology People
Process
Identify Protect Detect Respond Recover
#RSAC
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology People
Process
Identify Protect Detect Respond Recover
Background on the Cyber Defense Matrix
@sounilyu 7
#RSAC
Enterprise Security Market Segments
@sounilyu 8
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology People
Process
Identify Protect Detect Respond Recover
IAM Endpoint Detection & ResponseConfig Mgt,
Vuln Scanner
Data Audit,
Discovery,
Classification
RASP,
WAF
Phishing
Simulations
DDoS Mitigation
Insider Threat /
Behavioral
Analytics
Network
Security
(FW, IPS/IDS)
DRM
Encryption,
Tokenization,
DLP, DRM
Netflow,
Network Vuln
Scanner NW Forensics
AV, HIPS
Deep Web,
Brian Krebs,
FBI
Backup
Phishing &
Security
Awareness
SAST, DAST,
SW Asset Mgt,
Fuzzers
EP Forensics
#RSAC
We care about more than just the assets that are owned
and controlled by the enterprise
@sounilyu 9
Threat Actors
Vendors
Customers
Employees
Enterprise Assets
• Devices - workstations, servers, phones,
tablets, IoT, peripherals, storage, network
devices, web cameras, infrastructure, etc.
• Applications - The software, interactions,
and application flows on the devices
• Network - The connections and traffic
flowing among devices and applications
• Data - The information residing
on, traveling through, or processed by the
resources listed above
• Users – The people using the resources
listed above
01001101010110101001
10110101010101101010
Operational Functions
• Identify – inventorying assets and vulns,
prioritizing, measuring attack surface,
baselining, threat modeling, risk assessmt
• Protect – preventing or limiting impact,
patching, containing, isolating, hardening,
managing access, vuln remediation
• Detect – discovering events, triggering on
anomalies, hunting for intrusions, security
analytics
• Respond – acting on events, eradicating
intrusion footholds, assessing damage,
coordinating response, forensics
• Recover – returning to normal
operations, restoring services,
documenting lessons learned
#RSAC
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Devices
Applications
Networks
Identify Protect Detect Respond R
Market Segments – Other Environments
@sounilyu 10
Threat Actor Assets
Threat
Intel
Intrusion
Deception
Malware
Sandboxes
Vendor Assets
Cloud Access
Security Brokers
Vendor Risk
Assessments
Customer Assets
Endpoint Fraud
Detection
Device
Finger-
printing
Digital
Biometrics
Web Fraud
Detection
Employee Assets
BYOD
MAM
BYOD
MDMPCI-DSS, GDPR
#RSAC
Recap from 2016 Briefing
11@sounilyu
Other Use Cases
Primary Use Case: Vendor Mapping
Differentiating Primary &
Supporting Capabilities
Defining Security
Design Patterns
Maximizing
Deployment Footprint
Understanding the
New Perimeter
Calculating
Defense-in-Depth
Balancing Your
Portfolio Budget
Planning for
Obsolescence
Disintermediating
Security Components
Comparing Point
Products vs Platforms
Finding Opportunities
for Automation
Identifying Gaps in
People, Process, Tech
https://bit.ly/cdm-rsa2016
#RSAC
Early Stage Expo and Sandbox Vendors
12
Identify Protect Detect Respond Recover
Technology People
Process
Devices
Applications
Networks
Data
Users
Degree of
Dependency
@sounilyu
Disclaimer: Vendors shown are
representative only. No usage or
endorsement should be construed
because they are shown here.
SecurePlus Data
#RSAC
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Devices
Applications
Networks
Identify Protect Detect Respond R
Early Stage Expo and Sandbox Vendors
13@sounilyu
Threat Actor Assets
Vendor Assets
Customer Assets
Employee Assets
Disclaimer: Vendors shown are
representative only. No usage or
endorsement should be construed
because they are shown here.
#RSAC
Use Case 12: Optimal Resource Allocation Ratios
14@sounilyu
Technology
People
Processes
Technology People
Process
90 70 50 30 10
10 30 50 70 90
50 50 50 50 50
Identify Protect Detect Respond Recover
~10:1 ~2:1 1:1 ~1:2 ~1:10Tech:People Ratio
RISK ADVERSE POSTURE RISK TAKING POSTURE
#RSAC
Use Case 13: Understanding Handoffs and Responsibilities
15@sounilyu
Identify Protect Detect Respond Recover
Endpoint Services CERT
Endpoint
Team
LOBs App Monitoring LOBs
Network Services Network Monitoring Net Svcs
Chief Data Officer Data Loss Prevention CDO
Human Resources
Insider
Threat
Human Resources /
Physical Security
Devices
Applications
Networks
Data
Users
#RSAC
Use Case 13: Understanding Handoffs and Responsibilities
16@sounilyu
Inventory: Systems Mgt
Prioritize: Function / Ownership
Vuln / Attack Surface Measurement: Vulnerability Scanner
Inventory: Application Inventories, API Inventories
Prioritize: Critical App List
Vuln / Attack Surface Measurement: SAST/DAST/IAST
Inventory: Netflow
Prioritize: Function / Volume
Vuln / Attack Surface Measurement: Path Analysis
Inventory: Data Repository Lists
Prioritize: Data Classification
Vuln / Attack Surface Measurement: Level of Exposure
Inventory: HR Systems / Payroll
Prioritize: Hierarchy
Vuln / Attack Surface Measurement: Background Chk/ Phishing
Devices
Applications
Networks
Data
Users
Identify
Function RACI
Establish
Inventory
RA – Owner
I – Security
Prioritize
Inventory
R – Owner
I – Security
Measure Vuln/
Attack Surface
R – Security
ACI – Owner
Technology
People
Process
• Observations:
- There are greater inefficiencies
when the RACI is out of
alignment in a given domain
- Identify functions that are
largely performed manually will
result in poor data quality
#RSAC
Use Case 13: Understanding Handoffs and Responsibilities
17@sounilyu
Configure: Systems Mgt
Patch: Patch Mgt
Policy: Endpoint / Server Security Policy
Configure: Application Security Lifecycle, BSIMM
Patch: Code Updates, WAF, RASP
Policy: Application Security Program
Configure: Network Segmentation
Patch: Firewalls
Policy: Network Security Policy
Configure: Encryption, Tokenization
Patch: Re-encryption
Policy: Data Security Policy
Configure: Onboarding Orientation
Patch: Annual / Periodic Training / Teachable Moments
Policy: User Awareness Policy
Devices
Apps
Networks
Data
Users
Protect
Technology
People
Process
Function RACI
Configure
RA – Owner
CI – Security
Patch
RA – Owner
CI – Security
Policy
Definition
RA – Security
CI – Owner
#RSAC
Devices Applications Networks Data Users
Define Policy • Device usage policy
• Baselines, standards
• SaaS usage policy
• App Dev policy
• Network access policy • Classification guide • Acceptable use policy
Repair / Correct /
Patch / Remediate
• Patch • Fix bugs
• Patch
• Modify ACLs • Encrypt
• Chg permissions
• Training and awareness
Least Priv / Control
Access/ Separation
of Duties
• Active Directory/ LDAP /
RADIUS
• Admin Priv Escalation
• Mutual TLS, API keys
• User authenication
• Dev/Test/Prod sep
• VPN
• NAC
• Firewalls, VLANs
• Need to know
• Database activity
monitoring
• IAM, Access review
• SoD, Roles &
Responsibilities
Credential
Management
• Credential Vaulting • Credential Vaulting
• API key management
• Credential Vaulting
• TACACS
• Key management
system, HSMs
• Password manager
• Multifactor Auth
Whitelist /
Blacklist
• Signature-based (A/V),
Behavior-based (HIPS)
• Run-time application self
protection
• Default deny ACLs
• Default allow ACLs
• HMACs • Persona non grata
• Full ID check
Harden • Configuration hardening • Secure coding
• Code obfuscation
• Close comms paths
• TLS encryption
• AES encryption • Training and awareness
Least Functionality • Unnecessary service
removal
• Microservices
• Containers
• Single packet
authentication
• Need to know
• Differential privacy
• N/A
Isolation /
Containment
• Virtualization,
sandboxing
• Containers, Content
Disarm and Reconstr
• Walled garden,
remediation network
• Rights management
system
• Quarantine, jail
Audit / Log
Events
• A/V, HIPS, login, and
other event logs
• Application logs
• Authentication logs
• VPN, NAC, Firewall, DNS,
DHCP logs
• Database logs, DB
activity logs
• User activity logs
Change
Management
• File integrity monitoring • Version / release control • Network change
management tools
• Integrity monitoring • Manager 1:1s
Patterns and Anti-Patterns in PROTECT functions
18
#RSAC
Use Case 14: Understanding why do some things that we
buy never get used
19@sounilyu
Source: Security Shelfware: Which Products Are Gathering Dust In the Shed and Why?
https://www.rsaconference.com/writable/presentations/file_upload/mash-t07a-security-shelfware-which-products-gathering-dust-and-why.pdf
0 5 10 15 20
WAF
Web filtering
Forensics
AV
User awareness
IDAM / SSO / Priv Mgt
SIEM
FIM
GRC
Vuln Scanners
IPS
IDS
What ends up on the shelf?
0 5 10 15 20
Vaporware
Lack of Updates
Bundled / Cheap
Compliance / Regulatory Requirement
Budget cuts
Replaced with competing product
Lack of staff
Internal politics
Unable to use/enable features
Not enough expertise
Why
Vendors Users
#RSAC
Detect
Devices
Applications
Networks
Data
Users
SIEM
UEBA
EDR
IDS
SIEM
UEBA
UBA
People
Technology
Process
Use Case 14: Understanding why do some things that we
buy never get used
20@sounilyu
• Observation: People/Tech Mix
- At the DETECT stage, an equal mix of
people and technology are needed (i.e.,
you CANNOT automate everything)
• Mapping:
- Alignment is done by USE CASE, not by
TELEMETRY
- A generic analytics platform that
consumes a wide range of TELEMETRY
can satisfy a wide range of USE CASES
- Vendors typically sell the fine tuning of
DETECTION RULES to satisfy a USE CASE
using specific TELEMETRY
#RSAC
Use Case 15: Visualizing Attack Surfaces
Devices
Applications
Networks
Data
Users
Vuln Assessment
OS Hardening
Config
Compliance
SAST
DAST
WAF
Load Balancer
IAM
Log Analysis
Netflow
DDoS Prevention
Firewall
IPS/IDS
DDoS Mitigation
PCAP Analysis
Encryption
Tokenization
Identify Protect Detect Respond Recover
@sounilyu 21
Devices
Applications
Networks
Data
Users
SAST
DAST
WAF
Load Balancer
IAM
Log Analysis
Encryption
Tokenization
Identify Protect Detect Respond Recover
Traditional Web Application
Serverless Function
#RSAC
Specialized Generalized
Generalized Specialized
Use Case 16: Differentiating between Generalized vs Specialized
Needs
22@sounilyu
Technology
People
Processes
Technology People
Process
Identify Protect Detect Respond Recover
Specialized: skills or capabilities needed to service security needs (e.g., vulnerability scanners,
access control systems, hunting skills, incident response skills)
Generalized: skills or capabilities sufficient to service security needs (e.g., analytic platforms,
orchestration tools, vulnerability management skills, risk management skills)
Try to avoid acquiring specific capabilities that can be supported with generalized resources
#RSAC
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Use Case 17: Measurements: Checklist Based Approaches
23
Are the vendor's default passwords and default log-in names changed
on software applications before those applications are put into
operation?
•Are passwords for service accounts (e.g., backupserver, sp_content)
extremely complex in their character sets and length?
•Are the boot sequences on the organization's computers set so that
the computers cannot be booted from external media, such as USB
drives or CD's?
•Is each type and level of application privilegeassigned an appropriate
type and level of authentication mechanism? (e.g., do administrator
privileges require a more secure log-in mechanism than ordinary
privileges?)
•Is there a documented procedure for removing and verifying the
removal of application privileges when these are no longer needed?
Has the organization formally assigned sensitivity classifications to its
information files?
Are the sensitivity classifications that the organization employs
designed to provide a good basis for encryption policies?
Are the sensitivity classifications that the organization employs
periodically reviewed to make sure that they are not excessively
restrictive, encumbering corporate activities with necessary
precautions, or insufficiently restrictive, exposing corporate activities to
losses and harm?
Does the organization avoid storing types of data that could create
liabilities,but do not serve any important business or government
function? (e.g., does the organization erase credit card numbers as
soon as the transactions using those numbers have been successfully
processed, if the customers are going to be asked to enter these
numbers again when making future purchases?)
Are all input fields for data restricted to an appropriate minimum and
maximum length? (e.g., a Social Security Number field should only
allow nine numerals.)
Are all input fields for data restricted to the appropriate characters and
expressions? (e.g., a Social Security Number field should not allow
anything but numerals and dashes.)
Are there limitations on the data fields for the database that
correspond to the limitations in the fields on the user interface, so that
improper data are not inserted directly into the database?
Are the service ports for critical applications configured to filter out
data that is outside the proper operating parameters for those
applications?
Are the limitations on what can be written into the input fields made
sufficiently restrictive, wherever possible, so that those fields will not
accept executable instructions?
Is the ability to alter or input data into documents or databases
restricted to those employees who would have a valid need to do so in
the course of their normal work?
Are data fields that would rarely need to be changed made read-only as
soon as the data entry is verified as correct?
Are documents that present the organization's work or positions
converted into formats that cannot be easily modified, before they are
circulated electronically outside the organization?
When documents are converted into formats that cannot be easily
modified, are those documents digitally signed to make them even
harder to falsify?
Are the digital signatures on important documents routinely checked
to verify their source before those documents are accepted and
utilized?
Are critically important e-mails sent using an application that hashes
their contents, so that the e-mails' contents cannot easily be falsified?
Is there an automatic process for monitoring systems for symptoms
that false information may have been inserted?
If there is reason to believe an attacker could benefit greatly from
altering a body of data, is that data associated with a hash that would
reveal if the data has been altered?
Is there a mechanism for monitoring and logging all changes to critical
databases?
Are all uploads of sensitive data files monitored and logged?
Are all uploads of encrypted data files monitored and logged?
Is there an alarm mechanism that warns if data is apparently being
entered by employees in quantities or with distributions that are not
consistent with those employees' normal work patterns?
After a data field has been made read only, is there an appropriate
procedure for correcting that field under special circumstances and for
verifying that correction?
Is the database designed so that sensitive information cannot be over-
written, without successive, time-stamped revisions being securely
archived?
Wherever practical, is any authentic information that might be stolen
intermixed with bogus information that would cause harm or lead to
the possible prosecution of anyone who tries to use it?
Are receipts for important e-mails collected and stored to provide a
record verifying that they reached the intended recipients?
If log files need to be preserved for an extended period of time for legal
reasons, are these files stored in a tamper-proof form at more than one
physical location?
Are all corporate information systems protected with basic
authentication mechanisms, such as log-in name and password?
Are log-in attempts limited to a certain number per minute (rather than
a certain number altogether)?
Is the rate at which log-in's can be attempted automatically slowed
further after multiple failed attempts?
If the log-in process is regularly under attack, is there a queuing system
that would allow someone trying to properly access the system to get a
turn at logging into it?
If an account is accessed only after a considerable number of failed log-
in attempts, is that account then monitored for improper use?
Is there a simple automated procedure for cancelling any access
provided by an employee's password, authentication token, or
biometric information when that employee leaves the firm?
Is there a program checking passwords when they are created to make
sure that they meet the prescribed minimum length and complexity
requirements?
Are password choices automatically rejected if they are on the list of
most commonly used passwords or consist mostly of a commonly used
password?
Are the characters typed into password fields masked, so that they
can't be read by bystanders?
Are there automatic alarms triggered by multiple failed log-in attempts,
even if distributed across time, across user ID's, or different systems?
Are multiple failed attempts to access applications reviewed in a timely
manner, even if those failed access attempts are by authorized
employees?
Is an effort made to identify and investigate successful access
authentications that are carried out at unusual hours of the day or
night?
Is there an alarm mechanism that would warn of the theft of a file in
which passwords are stored?
If an employee needs to recover a password from a remote location, is
a link to recover or reset the password sent in an e-mail to that
employee's regular e-mail account after the employee has successfully
answered the challenge questions?
Is there a simple automated procedure for rapidly revoking the
privileges for tokens and smart cards, if they become compromised?
Is there an efficient procedure for replacing tokens and smart cards?
Is there a simple automated procedure for revoking the privileges for
any biometric identifier that is compromised?
Does the organization maintain a comprehensive list of all the system
names and their associated network addresses on the organization's
network?
Do detailed network topology diagrams exist of the corporate network,
so that all the connection routes can be traced?
Do the detailed network topology diagrams list the service paths and
network protocols being used?
Has the information on the network topology diagram been verified to
be accurate, so that all the components and connections on the
network are indeed included?
Are all documents diagramming network topologies rigorously
protected from unauthorized access?
Does the organization maintain comprehensive access control lists for
its routers, including the internet protocol addresses and port numbers
being utilized?
If the organization is maintaining a separate network for security
reasons, are all unnecessary services and broadcasts disabled on the
gateway between networks, including responses to ping requests and
traceroute requests, so that the existence of the gateway is difficult to
detect?
If a network is used for highly critical functions, does the organization
periodically change the port numbers used by those critical services, so
that any previous unauthorized explorations by potential attackers of
those port numbers and their uses will be made obsolete?
If a network is used for highly critical functions, does the organization
periodically change the names of servers and other devices, so that any
previous unauthorized explorations by potential attackers of those
names and what they designate will be made obsolete?
Are the baseline standards for equipment connected to the
organization's network periodically reviewed and updated?
Are the vendor's default security settings, including default passwords
and user names, changed on systems before those systems are
connected to the network?
Are vulnerability scans or penetration tests performed on critical
systems both before they are connected to the corporate network and
regularly thereafter?
Are employees explicitly forbidden to plug unauthorized electronic
devices, such as flash drives, iPods, Kindles, smart phones, and digital
cameras, into equipment inside the corporate network?
Are switches in criticallyimportant facilities configured so that they will
not connect to any pieces of electronic equipment that are not on the
list of authorized manufacturer identification (MAC) numbers?
Are wireless access points in critically important facilities configured so
that they will not connect to any pieces of electronic equipment that
are not on the list of authorized manufacturer identification (MAC)
numbers?
Do the wireless connections employ strong encryption technologies?
Are there strict requirements and procedures for deploying any
modems within the corporate infrastructure?
Is there a documented approval process for giving people remote
access to modems?
If it is necessary to use insecure protocols for receiving or sending data,
such as the File Transfer Protocol (FTP), are these insecure protocols
supplemented with security protocols at the session protocol layer
(e.g., yielding FTPS) or else transmitted over a virtual private network?
Does the organization have agreements with vendors in which they
guarantee a specified level of network reliabilityand service?
Do corporate policies limit the use of unencrypted protocols, such as
FTP, Telnet, or earlier versions of SNMP, for system management,
unless the system explicitly requires these protocols?
If the systems require unencrypted protocols, such as FTP, Telnet, or
earlier versions of SNMP, for their management, are the corresponding
connections set to shut down after a limited period of time?
Does the corporation use access control lists to restrict SNMP requests
from unauthorized systems to networking equipment, such as routers
and switches?
Are there policies for limiting the use of any remote management tools
that would allow systems to be controlled from outside the corporate
network?
Have the networking components been configured to give more critical
categories of traffic, such as process control instructions, priority over
less critical categories of traffic, such as e-mails?
Are there procedures for rate-limiting traffic so that the network is not
incapacitated by excessive loads on the services affected?
Have tests been conducted to make sure that critical systems cannot
be taken offline too easily by large amounts of data or traffic, such as
might be employed in a denial service attack?
Is the network automatically and frequently scanned for connections to
pieces of electronic equipment with manufacturer identification (MAC)
numbers that are not on the list of authorized devices?
Does the organization monitor for symptoms of manufacturer
identification (MAC) numbers being spoofed, such as a mismatched
operating system, mismatched device type, incorrect device location,
and uncharacteristic behavior of the device?
Is a wireless analyzer periodically run to identify any unauthorized
wireless devices that may have been connected to the network?
Are internal war-dialing campaigns periodically carried out to identify
unauthorized modems that can be reached by dialing in?
Are corporate phone exchanges periodically checked to detect outside
attempts at finding unauthorized modems by war-dialing campaigns?
Are the logs of server configurations regularly reviewed to make sure
that any changes in the configurations did not undermine security?
If the servers are performing critical operations or store very sensitive
information, are the logs recording changes in their configurations
reviewed daily?
Are all modifications of router and switch configurations logged?
Are the people in the organization who are responsible for cloud
computing policies made aware that the use of an external cloud
provider will require additional security measures?
Are the people in the organization who are responsible for cloud
computing policies made aware that any unencrypted information
stored with a cloud provider could potentially be obtained by a
subpoena before the organization could take legal steps to prevent
this?
Are the people in the organization who are responsible for cloud
computing policies made aware that the extra encryption needed to
secure information in the cloud could result in longer response times
for information systems?
Do all administrator accounts used for cloud computing resources
require two-factor authentication?
Does the organization maintain separation between virtual machines
performing more critical operations and those performing less critical
operations?
Is the management of external cloud computing resources performed
using encrypted channels?
Is any remote use of the cloud management interface performed over
secure communication channels, such as a virtual private network?
Is the cloud management interface configured to restrict administrator
access from unknown internet protocol addresses?
Is the cloud management interface designed with the minimum
number of functions needed to manage the virtual machines, so that
there are fewer opportunities to mount an attack utilizing those
functions?
Is all sensitive information that the organization stores in the cloud
encrypted?
Is all sensitive information transmitted between the client and the
cloud encrypted?
Does the cloud provider maintain redundant secure communication
channels for accessing the cloud management interfaces?
If the organization performs critical operations using external cloud
computing resources, are these operations logicallyisolated from other
virtual machines by the use of a separate hardware-level hypervisor?
Is the organization choosing virtual machines for its critical operations
that are designed to fail to a state which protects the system from
security compromises and data breaches?
If the organization allows its employees to use third-party collaborative
platforms, such as Google Docs or Dropbox, for standard business
operations, do they require employees to use only those platforms that
encrypt all files at rest?
Does the organization require its employees to refrain from putting any
information on third-party collaborative platforms if it is considered
very sensitive?
If the organization allows its employees to use third-party collaborative
platforms, such as Google Docs or Dropbox for standard business
operations, has two-step log- in verification been implemented for
those accounts?
Are employees prevented from using personally owned smart phones
to access third-party collaborative platforms used for work?
Are backups of sensitive information that are made by the cloud
provider periodically duplicated and stored at a third site, physically
separate both from the cloud provider's facilities and from the
organization's main facilities?
Are copies of cryptographic keys used to encrypt sensitive information
at the external provider of cloud computing services stored at a third
site, physically separate both from the cloud provider's facilities and
from the organization's main facilities?
Does the organization have a set of procedures ready for moving all of
its cloud operations and data out of the cloud?
Does the organization have a set of procedures ready for moving all of
its cloud operations and data to another cloud provider?
Are employee laptops protected by anti-virus software?
Are all smart phones issued by the organization protected by anti-virus
software if those devices are vulnerable to viruses?
Are the anti-virus signatures and definitions on employee laptops and
smart phones updated as soon as new signatures are available?
Are employee laptops protected by internet-protection software that
blocks access to dangerous websites or known hostile IP address
ranges?
Are infrared, bluetooth, and wireless links on laptops and mobile
devices disabled when not required for business functions?
Are remote log-in's from employee laptops required to use IP
addresses that were used in the past or are consistent with the
employee's expected geographical location?
Are telecommuters required to use virtual private network connections
to obtain access to the corporate network?
If the organization uses virtual private networks, is two-factor
authentication required?
If the organization uses a virtual private network to access highly-
critical systems, are more stringent authentication mechanisms, such
as tokens and biometrics, required?
If the organization uses virtual private networks, are the connecting
computers first connected to a computer in an isolated network that
runs a security check on the remote computer before it is granted
access to the internal network?
Are employee laptops protected by anti-virus software? Are replacements on hand for the most functionally important servers,
desktop computers, laptop computers, and other equipment, in case
these are stolen or physically damaged
Have you disabled or modified the banners or strings that announce
the name and version of the software products being used on public-
facing web servers?
If an employee is promoted to a considerably higher level of
responsibility and access, is a new background check carried out?
Are security logs for firewalls regularly reviewed to establish baselines
for normal traffic patterns?
Are security logs for
firewalls regularly
reviewed to establish
baselines for normal
traffic patterns?
Have you disabled or modified the
banners or strings that announce
the name and version of the
software products being used on
public-facing web servers?
Are replacements on hand for the most
functionally important servers, desktop
computers, laptop computers, and other
equipment, in case these are stolen or
physically damaged
If an employee is promoted to a
considerably higher level of
responsibility and access, is a new
background check carried out?
Are employee laptops
protected by anti-virus
software?
@sounilyu
*Checklist questions are from US Cyber Consequences Unit
#RSAC
Use Case 17: Measurements: Checklist Based Approaches
24
19/34 2/723/25 6/9 11/14
40/52 44/5913/25 18/40 13/43
18/26 34/527/59 8/29 18/33
23/38 16/396/37 25/28 25/47
27/42 8/1213/28 49/51 12/16
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
@sounilyu
#RSAC
Use Case 17: Measurements: Checklist Based Approaches
25
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
56% 29%66% 67% 79%
77% 75%52% 45% 30%
69% 65%12% 28% 55%
61% 41%16% 89% 53%
64% 67%46% 96% 75%
@sounilyu
#RSAC
Use Case 18: Applying Security Design Patterns to Fit
Business Constraints
26@sounilyu
DAY
EXTENDERS
COMMODITY
TRADERS
General Specialized
SENIOR
EXECUTIVES
BRANCH
OFFICE
DEVELOPERS /
DATA ANALYSTS
CALL
CENTERS
ROAD
WARRIORS
OFFICE
WORKERS
Who
Are
You
?
O O O O
O O O O
O O O
O O O
O O O O
O O O
O O O O
O O O O
O O O O
O O O
O O O O
O O
O O
O O O
O O O O O
O
O
O O O
O O O
O O O
O O
O O O O O
O O O
O O O O
O O O
O O
O O
O O
O O
O O O
O O O
O O O O O
O O O O O
O O O O O
O O O O O
O O O O O
= 80
Max Possible Security Posture = 100
Min Required Security Posture > 70
(Due to inherent risks and risk tolerance)
Max Possible Security Posture = 50
Min Required Security Posture > 55
(Due to inherent risks and risk tolerance)
= 56
Going above maximum possible security posture results in a
business impact and forces a conscious tradeoff between
business impact and security posture
#RSAC
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology People
Process
Identify Protect Detect Respond Recover
Use Case 19: New Tech Areas - Vuln Assessment vs Pen Testing vs
Breach and Attack Simulation vs Red Team
27@sounilyu
Penetration
Testing
RedTeam
Vulnerability
Assessment
Breachand
AttackSim
Where are we
inherently
vulnerable?
Are those vulnerabilities
mitigated or protected?
For those that are not, do we
log the event and get it just
before the point where an
analyst would have seen it?
Is the event actually
escalated to an incident
with an associated
response action?
#RSAC
Use Case 20: New Tech Areas - Zero Trust
28@sounilyu
Device Certs Host-Based Firewalls
SSL Certs API Gateways
IP Address
“Zero Trust”,
Single Packet Authentication
Hashes, Checksums Encryption
Passwords, Tokens,
No-Passwords
N/A
Devices
Applications
Networks
Data
Users
Identify (From) Protect (To)
Establishes
trustworthiness
of the asset
Enforces access policy based
on trustworthiness and
other environmental factors
#RSAC
Other Frameworks: Mapping the Kill Chain View #1
29@sounilyu
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
#RSAC
Other Frameworks: Mapping the Kill Chain View #2
30@sounilyu
#RSAC
Other Frameworks: Mapping ATT&CK (in progress)
31@sounilyu
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Visibility/Data Sources
Mitigations Cyber Analytic Repository
#RSAC
Other Frameworks: Mapping to the CIS Top 20 Critical
Security Controls
32@sounilyu
1.1 1.4
1.2 1.5
1.3 9.1
1.7 8.3 9.5 15.6
1.8 8.5 12.12 15.9
8.1 9.2 15.4
8.2 9.4 15.5
8.4 8.8
8.6 9.3
1.6
2.1 2.2 2.3
2.4 2.5
2.7 3.4 5.3 7.3
2.8 3.5 5.4
2.9 5.1 7.1
2.10 5.2 7.2
3.1 3.2 5.5 2.6 3.6 3.7
11.1 12.1
11.2 15.1
7.4 7.10 12.3 14.3
7.5 11.4 12.4 15.7
7.7 11.5 12.7 15.8
7.8 11.6 14.1 15.10
7.9 11.7 14.2
6.1 6.6 11.3 12.9
6.2 6.7 12.2 12.10
6.3 6.8 12.5 15.2
6.4 7.6 12.6 15.3
6.5 8.7 12.8
13.1
10.1 10.5 13.7 14.6
10.2 13.2 13.8 14.7
10.3 13.4 13.9 14.8
10.4 13.6 14.4
13.3 14.5
13.5 14.9
16.1 16.6
3.3 4.5 16.2 16.7
4.2 4.6 16.3 16.10
4.3 4.7 16.4 16.11
4.4 12.11 16.5
4.1 4.9
4.8 16.12
16.13
16.8 16.9
Devices
Applications
Networks
Data
Users
Degree of
Dependency
Technology People
Process
Identify Protect Detect Respond Recover
#RSAC
Work Still Left to Do: Mapping Governance Activities and
Process Oriented Functions
33
Devices
Applications
Networks
Data
Users
Technology People
Process
Identify Protect Detect Respond Recover
Risk Mgt Incident
Mgt
Inventory
Prioritization
Vuln Assessment
Threat Modeling
Risk Assessment
Controls
Validation
by
Simulated
or Actual
Attacker
Vuln
Mgt
Event
Mgt
Incident
Response
Mgt
?
BCP/COOP
Mgt
@sounilyu
#RSAC
This week
– Use the matrix to categorize vendors that you encounter in the Expo Hall
– Ask them where they fit and try to fit them only in one shopping aisle
In the first three months following this presentation you should:
– Send me feedback on how you have mapped vendors to it
– Organize your portfolio of technologies to see where you might have gaps
– Identify vendors that may round out your portfolio based on your security
design pattern (a.k.a. security bingo card)
Within six months you should:
– Send me feedback on how you used the Cyber Defense Matrix and improved it
34@sounilyu
“Apply” Slide
Questions?
@sounilyu

More Related Content

What's hot

CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 

What's hot (20)

CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKW
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmap
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Rothke secure360 building a security operations center (soc)
Rothke   secure360 building a security operations center (soc)Rothke   secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Cyber Security Maturity Assessment
 Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-Tools
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation  Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation  Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
 

Similar to Cyber Defense Matrix: Reloaded

RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolio
Rhys A. Mossom
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Aujas
 
Protect & Defend Your Critical Infrastructure
Protect & Defend Your Critical InfrastructureProtect & Defend Your Critical Infrastructure
Protect & Defend Your Critical Infrastructure
Q1 Labs
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange Partners
IBM Security
 
Mike Miller Resume 2016 - Ver 2
Mike Miller Resume 2016 - Ver 2Mike Miller Resume 2016 - Ver 2
Mike Miller Resume 2016 - Ver 2
Mike Miller
 

Similar to Cyber Defense Matrix: Reloaded (20)

Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolio
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat management
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Protect & Defend Your Critical Infrastructure
Protect & Defend Your Critical InfrastructureProtect & Defend Your Critical Infrastructure
Protect & Defend Your Critical Infrastructure
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange Partners
 
Container Workload Security Solution Ideas by Mandy Sidana.pptx
Container Workload Security Solution Ideas by Mandy Sidana.pptxContainer Workload Security Solution Ideas by Mandy Sidana.pptx
Container Workload Security Solution Ideas by Mandy Sidana.pptx
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
 
Mike Miller Resume 2016 - Ver 2
Mike Miller Resume 2016 - Ver 2Mike Miller Resume 2016 - Ver 2
Mike Miller Resume 2016 - Ver 2
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 

Cyber Defense Matrix: Reloaded

  • 1. #RSAC SESSION ID: Sounil Yu The Cyber Defense Matrix, Reloaded STR-T09 @sounilyu
  • 3. #RSAC Vendors shown are representative only No usage or endorsement should be construed because they are shown here Opinions are my own and do not represent those of my employer Disclaimers @sounilyu 3 All models are wrong, but some are useful - George E. P. Box …and some models are measurably more useful - Doug Hubbard
  • 4. #RSAC Background on the Cyber Defense Matrix @sounilyu 4
  • 5. #RSAC Background on the Cyber Defense Matrix @sounilyu 5 Operational Functions Inventorying assets and vulns, measuring attack surface, prioritizing, baselining normal, threat modeling, risk assessment Preventing or limiting impact, patching, containing, isolating, hardening, managing access, vuln remediation Discovering events, triggering on anomalies, hunting for intrusions, security analytics Acting on events, eradicating intrusion, assessing damage, forensic reconstruction Returning to normal operations, restoring services, documenting lessons learned, resiliency Asset Classes Workstations, servers, phones, tablets, storage, network devices, IoT infrastructure, etc. Software, interactions, and application flows on the devices Connections and traffic flowing among devices and apps Information at rest, in transit, or in use by the resources above The people using the resources listed above 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DEVICES APPS NETWORKS DATA USERS IDENTIFY PROTECT DETECT RESPOND RECOVER
  • 6. #RSAC The Cyber Defense Matrix @sounilyu 6 Operational Functions Inventorying assets and vulns, measuring attack surface, prioritizing, baselining normal, threat modeling, risk assessment Preventing or limiting impact, patching, containing, isolating, hardening, managing access, vuln remediation Discovering events, triggering on anomalies, hunting for intrusions, security analytics Acting on events, eradicating intrusion, assessing damage, forensic reconstruction Returning to normal operations, restoring services, documenting lessons learned, resiliency Asset Classes Workstations, servers, phones, tablets, storage, network devices,IoT infrastructure, etc. Software, interactions, and application flows on the devices Connections and traffic flowing among devices and apps Information at rest, in transit, or in use by the resources above The people using the resources listed above 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DEVICES APPS NETWORKS DATA USERS IDENTIFY PROTECT DETECT RESPOND RECOVER Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover
  • 7. #RSAC Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover Background on the Cyber Defense Matrix @sounilyu 7
  • 8. #RSAC Enterprise Security Market Segments @sounilyu 8 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover IAM Endpoint Detection & ResponseConfig Mgt, Vuln Scanner Data Audit, Discovery, Classification RASP, WAF Phishing Simulations DDoS Mitigation Insider Threat / Behavioral Analytics Network Security (FW, IPS/IDS) DRM Encryption, Tokenization, DLP, DRM Netflow, Network Vuln Scanner NW Forensics AV, HIPS Deep Web, Brian Krebs, FBI Backup Phishing & Security Awareness SAST, DAST, SW Asset Mgt, Fuzzers EP Forensics
  • 9. #RSAC We care about more than just the assets that are owned and controlled by the enterprise @sounilyu 9 Threat Actors Vendors Customers Employees Enterprise Assets • Devices - workstations, servers, phones, tablets, IoT, peripherals, storage, network devices, web cameras, infrastructure, etc. • Applications - The software, interactions, and application flows on the devices • Network - The connections and traffic flowing among devices and applications • Data - The information residing on, traveling through, or processed by the resources listed above • Users – The people using the resources listed above 01001101010110101001 10110101010101101010 Operational Functions • Identify – inventorying assets and vulns, prioritizing, measuring attack surface, baselining, threat modeling, risk assessmt • Protect – preventing or limiting impact, patching, containing, isolating, hardening, managing access, vuln remediation • Detect – discovering events, triggering on anomalies, hunting for intrusions, security analytics • Respond – acting on events, eradicating intrusion footholds, assessing damage, coordinating response, forensics • Recover – returning to normal operations, restoring services, documenting lessons learned
  • 10. #RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Identify Protect Detect Respond R Market Segments – Other Environments @sounilyu 10 Threat Actor Assets Threat Intel Intrusion Deception Malware Sandboxes Vendor Assets Cloud Access Security Brokers Vendor Risk Assessments Customer Assets Endpoint Fraud Detection Device Finger- printing Digital Biometrics Web Fraud Detection Employee Assets BYOD MAM BYOD MDMPCI-DSS, GDPR
  • 11. #RSAC Recap from 2016 Briefing 11@sounilyu Other Use Cases Primary Use Case: Vendor Mapping Differentiating Primary & Supporting Capabilities Defining Security Design Patterns Maximizing Deployment Footprint Understanding the New Perimeter Calculating Defense-in-Depth Balancing Your Portfolio Budget Planning for Obsolescence Disintermediating Security Components Comparing Point Products vs Platforms Finding Opportunities for Automation Identifying Gaps in People, Process, Tech https://bit.ly/cdm-rsa2016
  • 12. #RSAC Early Stage Expo and Sandbox Vendors 12 Identify Protect Detect Respond Recover Technology People Process Devices Applications Networks Data Users Degree of Dependency @sounilyu Disclaimer: Vendors shown are representative only. No usage or endorsement should be construed because they are shown here. SecurePlus Data
  • 13. #RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Identify Protect Detect Respond R Early Stage Expo and Sandbox Vendors 13@sounilyu Threat Actor Assets Vendor Assets Customer Assets Employee Assets Disclaimer: Vendors shown are representative only. No usage or endorsement should be construed because they are shown here.
  • 14. #RSAC Use Case 12: Optimal Resource Allocation Ratios 14@sounilyu Technology People Processes Technology People Process 90 70 50 30 10 10 30 50 70 90 50 50 50 50 50 Identify Protect Detect Respond Recover ~10:1 ~2:1 1:1 ~1:2 ~1:10Tech:People Ratio RISK ADVERSE POSTURE RISK TAKING POSTURE
  • 15. #RSAC Use Case 13: Understanding Handoffs and Responsibilities 15@sounilyu Identify Protect Detect Respond Recover Endpoint Services CERT Endpoint Team LOBs App Monitoring LOBs Network Services Network Monitoring Net Svcs Chief Data Officer Data Loss Prevention CDO Human Resources Insider Threat Human Resources / Physical Security Devices Applications Networks Data Users
  • 16. #RSAC Use Case 13: Understanding Handoffs and Responsibilities 16@sounilyu Inventory: Systems Mgt Prioritize: Function / Ownership Vuln / Attack Surface Measurement: Vulnerability Scanner Inventory: Application Inventories, API Inventories Prioritize: Critical App List Vuln / Attack Surface Measurement: SAST/DAST/IAST Inventory: Netflow Prioritize: Function / Volume Vuln / Attack Surface Measurement: Path Analysis Inventory: Data Repository Lists Prioritize: Data Classification Vuln / Attack Surface Measurement: Level of Exposure Inventory: HR Systems / Payroll Prioritize: Hierarchy Vuln / Attack Surface Measurement: Background Chk/ Phishing Devices Applications Networks Data Users Identify Function RACI Establish Inventory RA – Owner I – Security Prioritize Inventory R – Owner I – Security Measure Vuln/ Attack Surface R – Security ACI – Owner Technology People Process • Observations: - There are greater inefficiencies when the RACI is out of alignment in a given domain - Identify functions that are largely performed manually will result in poor data quality
  • 17. #RSAC Use Case 13: Understanding Handoffs and Responsibilities 17@sounilyu Configure: Systems Mgt Patch: Patch Mgt Policy: Endpoint / Server Security Policy Configure: Application Security Lifecycle, BSIMM Patch: Code Updates, WAF, RASP Policy: Application Security Program Configure: Network Segmentation Patch: Firewalls Policy: Network Security Policy Configure: Encryption, Tokenization Patch: Re-encryption Policy: Data Security Policy Configure: Onboarding Orientation Patch: Annual / Periodic Training / Teachable Moments Policy: User Awareness Policy Devices Apps Networks Data Users Protect Technology People Process Function RACI Configure RA – Owner CI – Security Patch RA – Owner CI – Security Policy Definition RA – Security CI – Owner
  • 18. #RSAC Devices Applications Networks Data Users Define Policy • Device usage policy • Baselines, standards • SaaS usage policy • App Dev policy • Network access policy • Classification guide • Acceptable use policy Repair / Correct / Patch / Remediate • Patch • Fix bugs • Patch • Modify ACLs • Encrypt • Chg permissions • Training and awareness Least Priv / Control Access/ Separation of Duties • Active Directory/ LDAP / RADIUS • Admin Priv Escalation • Mutual TLS, API keys • User authenication • Dev/Test/Prod sep • VPN • NAC • Firewalls, VLANs • Need to know • Database activity monitoring • IAM, Access review • SoD, Roles & Responsibilities Credential Management • Credential Vaulting • Credential Vaulting • API key management • Credential Vaulting • TACACS • Key management system, HSMs • Password manager • Multifactor Auth Whitelist / Blacklist • Signature-based (A/V), Behavior-based (HIPS) • Run-time application self protection • Default deny ACLs • Default allow ACLs • HMACs • Persona non grata • Full ID check Harden • Configuration hardening • Secure coding • Code obfuscation • Close comms paths • TLS encryption • AES encryption • Training and awareness Least Functionality • Unnecessary service removal • Microservices • Containers • Single packet authentication • Need to know • Differential privacy • N/A Isolation / Containment • Virtualization, sandboxing • Containers, Content Disarm and Reconstr • Walled garden, remediation network • Rights management system • Quarantine, jail Audit / Log Events • A/V, HIPS, login, and other event logs • Application logs • Authentication logs • VPN, NAC, Firewall, DNS, DHCP logs • Database logs, DB activity logs • User activity logs Change Management • File integrity monitoring • Version / release control • Network change management tools • Integrity monitoring • Manager 1:1s Patterns and Anti-Patterns in PROTECT functions 18
  • 19. #RSAC Use Case 14: Understanding why do some things that we buy never get used 19@sounilyu Source: Security Shelfware: Which Products Are Gathering Dust In the Shed and Why? https://www.rsaconference.com/writable/presentations/file_upload/mash-t07a-security-shelfware-which-products-gathering-dust-and-why.pdf 0 5 10 15 20 WAF Web filtering Forensics AV User awareness IDAM / SSO / Priv Mgt SIEM FIM GRC Vuln Scanners IPS IDS What ends up on the shelf? 0 5 10 15 20 Vaporware Lack of Updates Bundled / Cheap Compliance / Regulatory Requirement Budget cuts Replaced with competing product Lack of staff Internal politics Unable to use/enable features Not enough expertise Why Vendors Users
  • 20. #RSAC Detect Devices Applications Networks Data Users SIEM UEBA EDR IDS SIEM UEBA UBA People Technology Process Use Case 14: Understanding why do some things that we buy never get used 20@sounilyu • Observation: People/Tech Mix - At the DETECT stage, an equal mix of people and technology are needed (i.e., you CANNOT automate everything) • Mapping: - Alignment is done by USE CASE, not by TELEMETRY - A generic analytics platform that consumes a wide range of TELEMETRY can satisfy a wide range of USE CASES - Vendors typically sell the fine tuning of DETECTION RULES to satisfy a USE CASE using specific TELEMETRY
  • 21. #RSAC Use Case 15: Visualizing Attack Surfaces Devices Applications Networks Data Users Vuln Assessment OS Hardening Config Compliance SAST DAST WAF Load Balancer IAM Log Analysis Netflow DDoS Prevention Firewall IPS/IDS DDoS Mitigation PCAP Analysis Encryption Tokenization Identify Protect Detect Respond Recover @sounilyu 21 Devices Applications Networks Data Users SAST DAST WAF Load Balancer IAM Log Analysis Encryption Tokenization Identify Protect Detect Respond Recover Traditional Web Application Serverless Function
  • 22. #RSAC Specialized Generalized Generalized Specialized Use Case 16: Differentiating between Generalized vs Specialized Needs 22@sounilyu Technology People Processes Technology People Process Identify Protect Detect Respond Recover Specialized: skills or capabilities needed to service security needs (e.g., vulnerability scanners, access control systems, hunting skills, incident response skills) Generalized: skills or capabilities sufficient to service security needs (e.g., analytic platforms, orchestration tools, vulnerability management skills, risk management skills) Try to avoid acquiring specific capabilities that can be supported with generalized resources
  • 23. #RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Use Case 17: Measurements: Checklist Based Approaches 23 Are the vendor's default passwords and default log-in names changed on software applications before those applications are put into operation? •Are passwords for service accounts (e.g., backupserver, sp_content) extremely complex in their character sets and length? •Are the boot sequences on the organization's computers set so that the computers cannot be booted from external media, such as USB drives or CD's? •Is each type and level of application privilegeassigned an appropriate type and level of authentication mechanism? (e.g., do administrator privileges require a more secure log-in mechanism than ordinary privileges?) •Is there a documented procedure for removing and verifying the removal of application privileges when these are no longer needed? Has the organization formally assigned sensitivity classifications to its information files? Are the sensitivity classifications that the organization employs designed to provide a good basis for encryption policies? Are the sensitivity classifications that the organization employs periodically reviewed to make sure that they are not excessively restrictive, encumbering corporate activities with necessary precautions, or insufficiently restrictive, exposing corporate activities to losses and harm? Does the organization avoid storing types of data that could create liabilities,but do not serve any important business or government function? (e.g., does the organization erase credit card numbers as soon as the transactions using those numbers have been successfully processed, if the customers are going to be asked to enter these numbers again when making future purchases?) Are all input fields for data restricted to an appropriate minimum and maximum length? (e.g., a Social Security Number field should only allow nine numerals.) Are all input fields for data restricted to the appropriate characters and expressions? (e.g., a Social Security Number field should not allow anything but numerals and dashes.) Are there limitations on the data fields for the database that correspond to the limitations in the fields on the user interface, so that improper data are not inserted directly into the database? Are the service ports for critical applications configured to filter out data that is outside the proper operating parameters for those applications? Are the limitations on what can be written into the input fields made sufficiently restrictive, wherever possible, so that those fields will not accept executable instructions? Is the ability to alter or input data into documents or databases restricted to those employees who would have a valid need to do so in the course of their normal work? Are data fields that would rarely need to be changed made read-only as soon as the data entry is verified as correct? Are documents that present the organization's work or positions converted into formats that cannot be easily modified, before they are circulated electronically outside the organization? When documents are converted into formats that cannot be easily modified, are those documents digitally signed to make them even harder to falsify? Are the digital signatures on important documents routinely checked to verify their source before those documents are accepted and utilized? Are critically important e-mails sent using an application that hashes their contents, so that the e-mails' contents cannot easily be falsified? Is there an automatic process for monitoring systems for symptoms that false information may have been inserted? If there is reason to believe an attacker could benefit greatly from altering a body of data, is that data associated with a hash that would reveal if the data has been altered? Is there a mechanism for monitoring and logging all changes to critical databases? Are all uploads of sensitive data files monitored and logged? Are all uploads of encrypted data files monitored and logged? Is there an alarm mechanism that warns if data is apparently being entered by employees in quantities or with distributions that are not consistent with those employees' normal work patterns? After a data field has been made read only, is there an appropriate procedure for correcting that field under special circumstances and for verifying that correction? Is the database designed so that sensitive information cannot be over- written, without successive, time-stamped revisions being securely archived? Wherever practical, is any authentic information that might be stolen intermixed with bogus information that would cause harm or lead to the possible prosecution of anyone who tries to use it? Are receipts for important e-mails collected and stored to provide a record verifying that they reached the intended recipients? If log files need to be preserved for an extended period of time for legal reasons, are these files stored in a tamper-proof form at more than one physical location? Are all corporate information systems protected with basic authentication mechanisms, such as log-in name and password? Are log-in attempts limited to a certain number per minute (rather than a certain number altogether)? Is the rate at which log-in's can be attempted automatically slowed further after multiple failed attempts? If the log-in process is regularly under attack, is there a queuing system that would allow someone trying to properly access the system to get a turn at logging into it? If an account is accessed only after a considerable number of failed log- in attempts, is that account then monitored for improper use? Is there a simple automated procedure for cancelling any access provided by an employee's password, authentication token, or biometric information when that employee leaves the firm? Is there a program checking passwords when they are created to make sure that they meet the prescribed minimum length and complexity requirements? Are password choices automatically rejected if they are on the list of most commonly used passwords or consist mostly of a commonly used password? Are the characters typed into password fields masked, so that they can't be read by bystanders? Are there automatic alarms triggered by multiple failed log-in attempts, even if distributed across time, across user ID's, or different systems? Are multiple failed attempts to access applications reviewed in a timely manner, even if those failed access attempts are by authorized employees? Is an effort made to identify and investigate successful access authentications that are carried out at unusual hours of the day or night? Is there an alarm mechanism that would warn of the theft of a file in which passwords are stored? If an employee needs to recover a password from a remote location, is a link to recover or reset the password sent in an e-mail to that employee's regular e-mail account after the employee has successfully answered the challenge questions? Is there a simple automated procedure for rapidly revoking the privileges for tokens and smart cards, if they become compromised? Is there an efficient procedure for replacing tokens and smart cards? Is there a simple automated procedure for revoking the privileges for any biometric identifier that is compromised? Does the organization maintain a comprehensive list of all the system names and their associated network addresses on the organization's network? Do detailed network topology diagrams exist of the corporate network, so that all the connection routes can be traced? Do the detailed network topology diagrams list the service paths and network protocols being used? Has the information on the network topology diagram been verified to be accurate, so that all the components and connections on the network are indeed included? Are all documents diagramming network topologies rigorously protected from unauthorized access? Does the organization maintain comprehensive access control lists for its routers, including the internet protocol addresses and port numbers being utilized? If the organization is maintaining a separate network for security reasons, are all unnecessary services and broadcasts disabled on the gateway between networks, including responses to ping requests and traceroute requests, so that the existence of the gateway is difficult to detect? If a network is used for highly critical functions, does the organization periodically change the port numbers used by those critical services, so that any previous unauthorized explorations by potential attackers of those port numbers and their uses will be made obsolete? If a network is used for highly critical functions, does the organization periodically change the names of servers and other devices, so that any previous unauthorized explorations by potential attackers of those names and what they designate will be made obsolete? Are the baseline standards for equipment connected to the organization's network periodically reviewed and updated? Are the vendor's default security settings, including default passwords and user names, changed on systems before those systems are connected to the network? Are vulnerability scans or penetration tests performed on critical systems both before they are connected to the corporate network and regularly thereafter? Are employees explicitly forbidden to plug unauthorized electronic devices, such as flash drives, iPods, Kindles, smart phones, and digital cameras, into equipment inside the corporate network? Are switches in criticallyimportant facilities configured so that they will not connect to any pieces of electronic equipment that are not on the list of authorized manufacturer identification (MAC) numbers? Are wireless access points in critically important facilities configured so that they will not connect to any pieces of electronic equipment that are not on the list of authorized manufacturer identification (MAC) numbers? Do the wireless connections employ strong encryption technologies? Are there strict requirements and procedures for deploying any modems within the corporate infrastructure? Is there a documented approval process for giving people remote access to modems? If it is necessary to use insecure protocols for receiving or sending data, such as the File Transfer Protocol (FTP), are these insecure protocols supplemented with security protocols at the session protocol layer (e.g., yielding FTPS) or else transmitted over a virtual private network? Does the organization have agreements with vendors in which they guarantee a specified level of network reliabilityand service? Do corporate policies limit the use of unencrypted protocols, such as FTP, Telnet, or earlier versions of SNMP, for system management, unless the system explicitly requires these protocols? If the systems require unencrypted protocols, such as FTP, Telnet, or earlier versions of SNMP, for their management, are the corresponding connections set to shut down after a limited period of time? Does the corporation use access control lists to restrict SNMP requests from unauthorized systems to networking equipment, such as routers and switches? Are there policies for limiting the use of any remote management tools that would allow systems to be controlled from outside the corporate network? Have the networking components been configured to give more critical categories of traffic, such as process control instructions, priority over less critical categories of traffic, such as e-mails? Are there procedures for rate-limiting traffic so that the network is not incapacitated by excessive loads on the services affected? Have tests been conducted to make sure that critical systems cannot be taken offline too easily by large amounts of data or traffic, such as might be employed in a denial service attack? Is the network automatically and frequently scanned for connections to pieces of electronic equipment with manufacturer identification (MAC) numbers that are not on the list of authorized devices? Does the organization monitor for symptoms of manufacturer identification (MAC) numbers being spoofed, such as a mismatched operating system, mismatched device type, incorrect device location, and uncharacteristic behavior of the device? Is a wireless analyzer periodically run to identify any unauthorized wireless devices that may have been connected to the network? Are internal war-dialing campaigns periodically carried out to identify unauthorized modems that can be reached by dialing in? Are corporate phone exchanges periodically checked to detect outside attempts at finding unauthorized modems by war-dialing campaigns? Are the logs of server configurations regularly reviewed to make sure that any changes in the configurations did not undermine security? If the servers are performing critical operations or store very sensitive information, are the logs recording changes in their configurations reviewed daily? Are all modifications of router and switch configurations logged? Are the people in the organization who are responsible for cloud computing policies made aware that the use of an external cloud provider will require additional security measures? Are the people in the organization who are responsible for cloud computing policies made aware that any unencrypted information stored with a cloud provider could potentially be obtained by a subpoena before the organization could take legal steps to prevent this? Are the people in the organization who are responsible for cloud computing policies made aware that the extra encryption needed to secure information in the cloud could result in longer response times for information systems? Do all administrator accounts used for cloud computing resources require two-factor authentication? Does the organization maintain separation between virtual machines performing more critical operations and those performing less critical operations? Is the management of external cloud computing resources performed using encrypted channels? Is any remote use of the cloud management interface performed over secure communication channels, such as a virtual private network? Is the cloud management interface configured to restrict administrator access from unknown internet protocol addresses? Is the cloud management interface designed with the minimum number of functions needed to manage the virtual machines, so that there are fewer opportunities to mount an attack utilizing those functions? Is all sensitive information that the organization stores in the cloud encrypted? Is all sensitive information transmitted between the client and the cloud encrypted? Does the cloud provider maintain redundant secure communication channels for accessing the cloud management interfaces? If the organization performs critical operations using external cloud computing resources, are these operations logicallyisolated from other virtual machines by the use of a separate hardware-level hypervisor? Is the organization choosing virtual machines for its critical operations that are designed to fail to a state which protects the system from security compromises and data breaches? If the organization allows its employees to use third-party collaborative platforms, such as Google Docs or Dropbox, for standard business operations, do they require employees to use only those platforms that encrypt all files at rest? Does the organization require its employees to refrain from putting any information on third-party collaborative platforms if it is considered very sensitive? If the organization allows its employees to use third-party collaborative platforms, such as Google Docs or Dropbox for standard business operations, has two-step log- in verification been implemented for those accounts? Are employees prevented from using personally owned smart phones to access third-party collaborative platforms used for work? Are backups of sensitive information that are made by the cloud provider periodically duplicated and stored at a third site, physically separate both from the cloud provider's facilities and from the organization's main facilities? Are copies of cryptographic keys used to encrypt sensitive information at the external provider of cloud computing services stored at a third site, physically separate both from the cloud provider's facilities and from the organization's main facilities? Does the organization have a set of procedures ready for moving all of its cloud operations and data out of the cloud? Does the organization have a set of procedures ready for moving all of its cloud operations and data to another cloud provider? Are employee laptops protected by anti-virus software? Are all smart phones issued by the organization protected by anti-virus software if those devices are vulnerable to viruses? Are the anti-virus signatures and definitions on employee laptops and smart phones updated as soon as new signatures are available? Are employee laptops protected by internet-protection software that blocks access to dangerous websites or known hostile IP address ranges? Are infrared, bluetooth, and wireless links on laptops and mobile devices disabled when not required for business functions? Are remote log-in's from employee laptops required to use IP addresses that were used in the past or are consistent with the employee's expected geographical location? Are telecommuters required to use virtual private network connections to obtain access to the corporate network? If the organization uses virtual private networks, is two-factor authentication required? If the organization uses a virtual private network to access highly- critical systems, are more stringent authentication mechanisms, such as tokens and biometrics, required? If the organization uses virtual private networks, are the connecting computers first connected to a computer in an isolated network that runs a security check on the remote computer before it is granted access to the internal network? Are employee laptops protected by anti-virus software? Are replacements on hand for the most functionally important servers, desktop computers, laptop computers, and other equipment, in case these are stolen or physically damaged Have you disabled or modified the banners or strings that announce the name and version of the software products being used on public- facing web servers? If an employee is promoted to a considerably higher level of responsibility and access, is a new background check carried out? Are security logs for firewalls regularly reviewed to establish baselines for normal traffic patterns? Are security logs for firewalls regularly reviewed to establish baselines for normal traffic patterns? Have you disabled or modified the banners or strings that announce the name and version of the software products being used on public-facing web servers? Are replacements on hand for the most functionally important servers, desktop computers, laptop computers, and other equipment, in case these are stolen or physically damaged If an employee is promoted to a considerably higher level of responsibility and access, is a new background check carried out? Are employee laptops protected by anti-virus software? @sounilyu *Checklist questions are from US Cyber Consequences Unit
  • 24. #RSAC Use Case 17: Measurements: Checklist Based Approaches 24 19/34 2/723/25 6/9 11/14 40/52 44/5913/25 18/40 13/43 18/26 34/527/59 8/29 18/33 23/38 16/396/37 25/28 25/47 27/42 8/1213/28 49/51 12/16 Devices Applications Networks Data Users Identify Protect Detect Respond Recover @sounilyu
  • 25. #RSAC Use Case 17: Measurements: Checklist Based Approaches 25 Devices Applications Networks Data Users Identify Protect Detect Respond Recover 56% 29%66% 67% 79% 77% 75%52% 45% 30% 69% 65%12% 28% 55% 61% 41%16% 89% 53% 64% 67%46% 96% 75% @sounilyu
  • 26. #RSAC Use Case 18: Applying Security Design Patterns to Fit Business Constraints 26@sounilyu DAY EXTENDERS COMMODITY TRADERS General Specialized SENIOR EXECUTIVES BRANCH OFFICE DEVELOPERS / DATA ANALYSTS CALL CENTERS ROAD WARRIORS OFFICE WORKERS Who Are You ? O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O = 80 Max Possible Security Posture = 100 Min Required Security Posture > 70 (Due to inherent risks and risk tolerance) Max Possible Security Posture = 50 Min Required Security Posture > 55 (Due to inherent risks and risk tolerance) = 56 Going above maximum possible security posture results in a business impact and forces a conscious tradeoff between business impact and security posture
  • 27. #RSAC Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover Use Case 19: New Tech Areas - Vuln Assessment vs Pen Testing vs Breach and Attack Simulation vs Red Team 27@sounilyu Penetration Testing RedTeam Vulnerability Assessment Breachand AttackSim Where are we inherently vulnerable? Are those vulnerabilities mitigated or protected? For those that are not, do we log the event and get it just before the point where an analyst would have seen it? Is the event actually escalated to an incident with an associated response action?
  • 28. #RSAC Use Case 20: New Tech Areas - Zero Trust 28@sounilyu Device Certs Host-Based Firewalls SSL Certs API Gateways IP Address “Zero Trust”, Single Packet Authentication Hashes, Checksums Encryption Passwords, Tokens, No-Passwords N/A Devices Applications Networks Data Users Identify (From) Protect (To) Establishes trustworthiness of the asset Enforces access policy based on trustworthiness and other environmental factors
  • 29. #RSAC Other Frameworks: Mapping the Kill Chain View #1 29@sounilyu Devices Applications Networks Data Users Identify Protect Detect Respond Recover
  • 30. #RSAC Other Frameworks: Mapping the Kill Chain View #2 30@sounilyu
  • 31. #RSAC Other Frameworks: Mapping ATT&CK (in progress) 31@sounilyu Devices Applications Networks Data Users Identify Protect Detect Respond Recover Visibility/Data Sources Mitigations Cyber Analytic Repository
  • 32. #RSAC Other Frameworks: Mapping to the CIS Top 20 Critical Security Controls 32@sounilyu 1.1 1.4 1.2 1.5 1.3 9.1 1.7 8.3 9.5 15.6 1.8 8.5 12.12 15.9 8.1 9.2 15.4 8.2 9.4 15.5 8.4 8.8 8.6 9.3 1.6 2.1 2.2 2.3 2.4 2.5 2.7 3.4 5.3 7.3 2.8 3.5 5.4 2.9 5.1 7.1 2.10 5.2 7.2 3.1 3.2 5.5 2.6 3.6 3.7 11.1 12.1 11.2 15.1 7.4 7.10 12.3 14.3 7.5 11.4 12.4 15.7 7.7 11.5 12.7 15.8 7.8 11.6 14.1 15.10 7.9 11.7 14.2 6.1 6.6 11.3 12.9 6.2 6.7 12.2 12.10 6.3 6.8 12.5 15.2 6.4 7.6 12.6 15.3 6.5 8.7 12.8 13.1 10.1 10.5 13.7 14.6 10.2 13.2 13.8 14.7 10.3 13.4 13.9 14.8 10.4 13.6 14.4 13.3 14.5 13.5 14.9 16.1 16.6 3.3 4.5 16.2 16.7 4.2 4.6 16.3 16.10 4.3 4.7 16.4 16.11 4.4 12.11 16.5 4.1 4.9 4.8 16.12 16.13 16.8 16.9 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover
  • 33. #RSAC Work Still Left to Do: Mapping Governance Activities and Process Oriented Functions 33 Devices Applications Networks Data Users Technology People Process Identify Protect Detect Respond Recover Risk Mgt Incident Mgt Inventory Prioritization Vuln Assessment Threat Modeling Risk Assessment Controls Validation by Simulated or Actual Attacker Vuln Mgt Event Mgt Incident Response Mgt ? BCP/COOP Mgt @sounilyu
  • 34. #RSAC This week – Use the matrix to categorize vendors that you encounter in the Expo Hall – Ask them where they fit and try to fit them only in one shopping aisle In the first three months following this presentation you should: – Send me feedback on how you have mapped vendors to it – Organize your portfolio of technologies to see where you might have gaps – Identify vendors that may round out your portfolio based on your security design pattern (a.k.a. security bingo card) Within six months you should: – Send me feedback on how you used the Cyber Defense Matrix and improved it 34@sounilyu “Apply” Slide