Successfully reported this slideshow.
Your SlideShare is downloading. ×

Cyber Defense Matrix: Revolutions

Ad

SESSION ID:
#RSAC
Sounil Yu
Cyber Defense Matrix:
Revolutions
CISO & Head of Research
JupiterOne
@sounilyu
STR-M01

Ad

#RSAC
@sounilyu
Disclaimer
RSA’s disclaimers
Presentations are intended for educational purposes only and do not replace i...

Ad

#RSAC
@sounilyu
Ready for a week of buzzword madness?
3

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Check these out next

1 of 35 Ad
1 of 35 Ad

Cyber Defense Matrix: Revolutions

Download to read offline

The Cyber Defense Matrix helps people organize and understand gaps in their overall security program. These slides describe several additional use cases of the Cyber Defense Matrix, including how to map the latest startup vendors and security trends, anticipate gaps, develop program roadmaps, capture metrics, reconcile inventories, improve situational awareness, and create a board-level view of their entire program.

See the 2016 version at: http://bit.ly/cyberdefensematrix
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded

The Cyber Defense Matrix helps people organize and understand gaps in their overall security program. These slides describe several additional use cases of the Cyber Defense Matrix, including how to map the latest startup vendors and security trends, anticipate gaps, develop program roadmaps, capture metrics, reconcile inventories, improve situational awareness, and create a board-level view of their entire program.

See the 2016 version at: http://bit.ly/cyberdefensematrix
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded

More Related Content

Cyber Defense Matrix: Revolutions

  1. 1. SESSION ID: #RSAC Sounil Yu Cyber Defense Matrix: Revolutions CISO & Head of Research JupiterOne @sounilyu STR-M01
  2. 2. #RSAC @sounilyu Disclaimer RSA’s disclaimers Presentations are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the presenters individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented. Attendees should note that sessions may be audio- or video-recorded and may be published in various media, including print, audio and video formats without further notice. The presentation template and any media capture are subject to copyright protection. ©2022 RSA Security LLC or its affiliates. All rights reserved. RSA Conference logo, RSA and other trademarks are trademarks of RSA Security LLC or its affiliates. Sounil’s Disclaimers • Vendors shown are representative only • No usage or endorsement should be construed because they are shown here 2 All models are wrong, but some are useful - George E. P. Box
  3. 3. #RSAC @sounilyu Ready for a week of buzzword madness? 3
  4. 4. #RSAC @sounilyu One simple way to organize these buzzwords is by aligning them against five asset classes and the NIST CSF 4 Operational Functions Inventorying assets and vulns, measuring attack surface, prioritizing, baselining normal, threat modeling, risk assessment Preventing or limiting impact, patching, containing, isolating, hardening, managing access, vuln remediation Discovering events, triggering on anomalies, hunting for intrusions, security analytics Acting on events, eradicating intrusion, assessing damage, forensic reconstruction Returning to normal operations, restoring services, documenting lessons learned, resiliency Asset Classes Workstations, servers, phones, tablets, storage, network devices, IoT infrastructure, etc. Software, interactions, and application flows on the devices Connections and traffic flowing among devices and apps Information at rest, in transit, or in use by the resources above The people using the resources listed above 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DEVICES APPS NETWORKS DATA USERS IDENTIFY PROTECT DETECT RESPOND RECOVER
  5. 5. #RSAC @sounilyu The Cyber Defense Matrix 5 Operational Functions Inventorying assets and vulns, measuring attack surface, prioritizing, baselining normal, threat modeling, risk assessment Preventing or limiting impact, patching, containing, isolating, hardening, managing access, vuln remediation Discovering events, triggering on anomalies, hunting for intrusions, security analytics Acting on events, eradicating intrusion, assessing damage, forensic reconstruction Returning to normal operations, restoring services, documenting lessons learned, resiliency Asset Classes Workstations, servers, phones, tablets, storage, network devices, IoT infrastructure, etc. Software, interactions, and application flows on the devices Connections and traffic flowing among devices and apps Information at rest, in transit, or in use by the resources above The people using the resources listed above 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DEVICES APPS NETWORKS DATA USERS IDENTIFY PROTECT DETECT RESPOND RECOVER Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover
  6. 6. #RSAC @sounilyu Aligning the buzzwords against the Cyber Defense Matrix… 6 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover
  7. 7. #RSAC @sounilyu …can help bring some order to the chaos… 7 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover Asset Mgt, Vuln Scanning, Vuln Mgt, Certificate Mgt AV, Anti-Malware, EPP, FIM, HIPS, Whitelisting, Patch Mgt Endpoint Detection, UEBA, XDR EP Response, EP Forensics SAST, DAST, SW Asset Mgt, Fuzzers RASP, WAF, ZT App Access Source Code Compromise, Logic Bomb Discovery, App IDS, XDR Netflow, Network Vuln Scanner FW, IPS/IDS, Microseg, ESG, SWG, ZTNA DDoS Detection, Net Traf Analysis, UEBA, XDR DDoS Response, NW Forensics Data Audit, Discovery, Classification Encryption, Tokenization, DLP, DRM, DBAM, DB Access Proxy Deep Web, Data Behavior Analytics, FBI, Brian Krebs, XDR DRM, Breach Response Backup Phishing Sim, Background Chk, MFA Security Training & Awareness Insider Threat, User Behavior Analytics, XDR
  8. 8. #RSAC @sounilyu …and help you understand what some of these vendors do! (sorry, this slide is really out of date) 8 Identify Protect Detect Respond Recover Technology People Process Devices Applications Networks Data Users Degree of Dependency
  9. 9. #RSAC @sounilyu Use Cases of the Cyber Defense Matrix… 9 Primary Use Case: Vendor Mapping Differentiating Primary & Supporting Capabilities Defining Security Design Patterns Maximizing Deployment Footprint Understanding the New Perimeter Calculating Defense-in-Breadth Balancing Your Portfolio Budget Planning for Obsolescence Disintermediating Security Components Comparing Point Products vs Platforms Finding Opportunities for Automation Identifying Gaps in People, Process, Tech https://bit.ly/cyberdefensematrix
  10. 10. #RSAC @sounilyu Other Use Cases of the Cyber Defense Matrix… 10 https://bit.ly/cyberdefensematrixreloaded Optimizing Budgets and Resource Allocation Mapping Organizational Handoffs Aligning Roles and Responsibilities Understanding Why Products are Not Used Visualizing Attack Surfaces Aligning Generalized vs Specialized Needs Measurements and Metrics Business Aligned Security Patterns Vuln Scan vs PenTest vs BAS vs Red Team Mapping Zero Trust Capabilities Mapping to the Kill Chain Mapping to MITRE ATT&CK
  11. 11. #RSAC @sounilyu Remember Left and Right of Boom 11 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover Structural Awareness •Occuring pre-event •Gathers information about state •Discovering weaknesses from vulnerability assessments •Baselining expected behaviors and interactions •Conducting risk management Situational Awareness • Occurring post-event • Gathering information about events and activity • Discovering evidence of vulnerability exploitation and investigating • Triggering on unexpected state or behavioral changes • Conducting event and incident management
  12. 12. #RSAC @sounilyu Use Case 21: Prioritization Using CIS Critical Security Controls 12 1.1, 1.4 3.6, 4.4, 4.5, 4.8, 4.9, 4.11, 4.12, 10.1, 10.2, 10.3, 10.5, 10.6, 12.7, 12.8, 13.5, 13.7, 13.9 1.3, 1.5, 8.8, 10.4, 10.7, 13.2 1.2, 4.10 2.1, 2.2, 7.5, 7.6, 15.1, 15.2, 15.3, 15.5, 18.6, 18.7, 18.8 2.5, 2.6, 2.7, 4.1, 7.1, 7.3, 7.4, 9.1, 9.4, 15.4, 16.1, 16.2, 16.3, 16.4, 16.5, 16.6, 16.7, 16.8, 16.9, 16.10, 16.11, 16.12, 16.13, 16.14, 18.9, 18.10 2.4 2.3, 7.2, 7.7 12.4, 18.1, 18.2, 18.5 3.12, 4.2, 4.6, 8.1, 8.3, 8.4, 8.10, 9.2, 9.3, 9.5, 9.6, 9.7, 12.1, 12.2, 12.3, 12.5, 12.6, 13.4, 13.8, 13.10, 18.3, 18.4 8.2, 8.5, 8.6, 8.7, 8.9, 8.11, 13.1, 13.3, 13.6, 13.11 3.1, 3.2, 3.7, 3.8 3.3, 3.4, 3.5, 3.9, 3.10, 3.11, 3.13, 6.8, 11.3, 14.6, 15.7, 18.11 3.14, 8.12, 15.6 11.1, 11.2, 11.4, 11.5 5.1, 5.5, 6.6 4.3, 4.7, 5.2, 5.4, 5.6, 6.1, 6.2, 6.3, 6.4, 6.5, 6.7, 14.1, 14.2, 14.3, 14.4, 14.5, 14.7, 14.8, 14.9 5.3 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover 17.1, 17.2, 17.3, 17.4, 17.5, 17.6, 17.9 17.7, 17.8 Implementation Group 3 Implementation Group 1 Implementation Group 2
  13. 13. #RSAC @sounilyu Use Case 5: Calculating Defense-in-Breadth Using CIS’ Control Assessment Specification (https://controls-assessment-specification.readthedocs.io) 13 Identify Protect Detect Respond Recover 15 ( 8 / 7 / 0 ) 84 ( 30 / 36 / 18 ) 26 ( 0 / 21 / 5 ) 9 ( 5 / 4 / 0 ) 0 134 ( 43 / 68 / 23 ) 56 ( 18 / 34 / 4 ) 125 ( 33 / 72 / 20 ) 5 ( 0 / 5 / 0 ) 11 ( 7 / 4 / 0 ) 0 197 ( 58 / 115 / 24 ) 14 ( 0 / 10 / 4 ) 94 ( 21 / 53 / 20 ) 32 ( 3 / 28 / 1 ) 0 0 140 ( 24 / 91 / 25 ) 22 ( 9 / 13 / 0 ) 67 ( 32 / 21 / 14 ) 12 ( 0 / 0 / 12 ) 0 17 ( 13 / 4 / 0 ) 118 ( 54 / 38 / 26 ) 24 ( 9 / 15 / 0 ) 90 ( 84 / 6 / 0 ) 0 ( 0 / 0 / 0 ) 6 ( 6 / 0 / 0 ) 0 120 ( 99 / 21 / 0) 134 ( 44 / 79 / 8 ) 460 (200 / 188 / 72 ) 75 (3 / 54 / 18 ) 26 ( 18 / 8 / 0 ) 17 (13 / 4 / 0 ) 709 ( 278 / 333 / 98 ) Devices Applications Networks Data Users Total Total
  14. 14. #RSAC @sounilyu Use Case 22: Measurement Health 14 HARD EASY RELATIVE DIFFICULTY Performance How well does the capability work? B 96% Efficiency How cost effective is the capability? A $$ Presence Does the capability exist? E Coverage Is the capability enabled? D Utilization Are all available features enabled? C 0.25 0.40 0.20 0.20 0.10 0.10 0.15 0.15 0.10 0.20 0.05 0.10 0.20 0.30 0.10 Identify Protect Detect Respond Recover Devices Apps Networks Data Users $50 $100 $50 $50 $100 $50 $100 $100 $100 $50 $50 $50 $50 $50 $50 Identify Protect Detect Respond Recover Devices Apps Networks Data Users E B D E F C B B E F A A E F E E B B F E D C F E F Identify Protect Detect Respond Recover Devices Apps Networks Data Users
  15. 15. #RSAC @sounilyu Use Case 23: Developing a roadmap 15 Grocery Layer 1: Recipes Proven Practices, Frameworks, Reference Architectures Layer 2: Pantry Current State Capabilities Layer 3: Market Commercial Options, Art of the Possible Business/Mission/Technology Constraints, Exceptions Layer 5: Nutritional Needs Risks, Attack Surfaces, Threat Environment The “Stack” Combined Matrices Nutritional and Dietary Needs Foundation Cyber Defense Matrix Layer 4: Allergies Allergies and Dietary Restrictions Pantry
  16. 16. #RSAC @sounilyu Use Case 23: Constructing a roadmap 16 How secure am I? How secure should I be? How do I get there?                        Existing Capabilities (Pantry)                            Best Practices, Architectures (Recipes) Risks (Nutritional Needs) Prospective Capabilities (Market) Mission/Business/Tech Constraints (Allergies/ Dietary Restrictions)
  17. 17. #RSAC @sounilyu Use Case 23: Interpreting the roadmap 17                                               Opportunities to innovate Table stakes / Just do it Risk Management Discussion: • Active attacks underway • Regulatory requirement • Capabilities are available... • … but controls create major mission impact Opportunities to deprecate or capture best practice Risk Management Discussion: • Active attacks underway • No regulatory requirement • Capabilities are available... • … but controls create minor mission impact  Architectural Requirements  Existing Capabilities  Commercial Capabilities Attack Surfaces Business/Mission Constraints
  18. 18. #RSAC @sounilyu Use Case 24: Board Level View 18 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover Sufficient Controls Initiatives Underway Additional Effort Required No Attack Surface
  19. 19. #RSAC @sounilyu Use Case 25: Seeing gaps and opportunities 19 Identify Protect Detect Respond Recover Technology People Process A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z Devices Applications Networks Data Users Degree of Dependency
  20. 20. #RSAC @sounilyu Use Case 25: Seeing gaps and opportunities 20 Identify Protect Detect Respond Recover Technology People Process A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z Devices Applications Networks Data Users Degree of Dependency
  21. 21. #RSAC @sounilyu Use Case 25: Seeing gaps and opportunities 21 Identify Protect Detect Respond Recover Technology People Process A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z A – B – C – D – E F – G – H – I – J K – L – M – N – O P – Q – R – S – T U – V – W – X – Y – Z Devices Applications Networks Data Users Degree of Dependency
  22. 22. #RSAC @sounilyu Use Case 26: Improving Situational Awareness 22 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover Post-Event Situational Awareness Pre-Event Structural Awareness
  23. 23. #RSAC @sounilyu Use Case 26: Improving Situational Awareness 23 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover Contextual Awareness Environmental Awareness Contextual Awareness Environmental Awareness
  24. 24. #RSAC @sounilyu Use Case 26: Improving Situational Awareness 24 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover Contextual Awareness Environmental Awareness Contextual Awareness Environmental Awareness Structural Awareness Situational Awareness
  25. 25. #RSAC @sounilyu Use Case 26: Improving Situational Awareness 25 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover Contextual Awareness Environmental Awareness Structural Awareness Situational Awareness
  26. 26. #RSAC @sounilyu Use Case 26: Improving Situational Awareness 26 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover Endpoint acting funny Situational: Machine compromised due to malware installed through client-side attack Contextual: User clicked on a spear phishing email Environmental: User of endpoint failed last phishing simulation test Structural: Fully patched, locked down endpoint, 2FA enabled Environmental: Training and awareness not complete
  27. 27. #RSAC @sounilyu Use Case 26: Improving Situational Awareness 27 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover Contextual: No unusual logins or interactions with server Structural: Data is encrypted DLP alerts firing off Environmental: Content originated from server housing sensitive blueprints for new product Environmental: New B2B connection made with a Chinese manufacturing plant Environmental: Regular user of server aligned to new China project Situational: Probably normal business activity Did user get phished?
  28. 28. #RSAC @sounilyu Use Case 27: Mapping Training 28 Identify Protect Detect Respond Recover Technology People Process Devices Applications Networks Data Users Degree of Dependency SEC505: Securing Windows and PowerShell Automation SEC503: Intrusion Detection In- Depth SEC617: Wireless Penetration Testing and Ethical Hacking SEC542: Web App Penetration Testing and Ethical Hacking SEC567: Social Engineering for Penetration Testers SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses DEV543: Secure C/C++ Coding FOR500: Windows Forensic Analysis SEC460: Enterprise Threat and Vulnerability Assessment FOR572: Advanced Network Forensics: Threat Hunting, Analysis & Incident Response SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling SEC530: Defensible Security Architecture and Engineering SEC530: Defensible Security Architecture and Engineering SEC530: Defensible Security Architecture and Engineering SEC450: Blue Team Fundamentals: Security Operations and Analysis SEC450: Blue Team Fundamentals: Security Operations and Analysis SEC460: Enterprise Threat and Vulnerability Assessment SEC506: Securing Linux/Unix SEC534: Secure DevOps: A Practical Introduction
  29. 29. #RSAC @sounilyu Use Case 28: Mapping Cloud (IaaS/PaaS) Security 29 Identify Protect Cloud Security Posture Management (CSPM) Cloud Workload Protection Platform (CWPP) Devices (containers, compute, hosts) Applications (microservices, serverless) Networks (VPC, VPN, CDN, DNS) Data (datastores, databases, files) Users (accounts, user roles) CSPM IAM Configuration PaaS Configuration Network Configuration Storage Configuration CWPP Cloud Workload Protection Platform CWPP CWPP CWPP CWPP CWPP Cloud-Native Security Services ADC, LB, WAF, DoS, FW, etc. Control Plane Data Plane Source: Gartner Market Guide for Cloud Workload Protection Platforms, 2020 (slightly modified) CIEM
  30. 30. #RSAC @sounilyu Use Case 29: Mapping Control Failures 30 1. No asset inventory (CSC01) 2. No software inventory (CSC02) 3. No file integrity monitoring 4. No network segmentation 5. Neglected SSL Inspection (SSLV) Appliance 6. Neglected SSLV failed open 7. SSLV lacked certs for key systems 8. SAST failed to find Struts due to misconfig 9. No anomaly detection on web servers 10. Custom snort rule didn’t work 11. Custom snort rule wasn’t tested 12. Network scanner didn’t find Struts 13. Failed to detect webshells 14. Failed to detect interactive activity 15. Admins stored cleartext creds in open shares 16. Least privilege principles not followed for database access 17. DB adhoc queries restrictions not implemented 18. No DB anomaly monitoring 19. No field-level encryption in DBs 20. No data exfiltration detection 21. DAST scanning failed to detect vulns 22. Ineffective IR plan/procedures 23. No owners assigned to apps or DBs 24. Comms issues due to corp structure 25. Lack of accountability in processes 26. Patching remediation lacked follow up 27. Old audit findings were not addressed 28. Insecure NFS configs 29. Logs retained for less than 30 days
  31. 31. #RSAC @sounilyu Use Case 29: Mapping Control Failures Courtesy of Adrian Sanabria (@sawaba) 31 1, 12 26, 28 29 2, 8, 21, 23 26 3, 9, 13, 14 4, 5, 6, 7, 16 10, 11, 20 15, 23 16, 17, 19 17, 18, 20 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover 1, 12 26, 28 29 2, 8, 21, 23 26 3, 9, 13, 14 4, 5, 6, 7, 16 10, 11, 20 15, 23 16, 17, 19 17, 18, 20
  32. 32. #RSAC @sounilyu Use Case 29: Mapping Control Failures Courtesy of Adrian Sanabria (@sawaba) 32 1, 12 26, 28 29 2, 8, 21, 23 26 3, 9, 13, 14 4, 5, 6, 7, 16 10, 11, 20 15, 23 16, 17, 19 17, 18, 20 Devices Applications Networks Data Users Degree of Dependency Technology People Process Identify Protect Detect Respond Recover People Oriented Control Failure Process Oriented Control Failure Tech Oriented Control Failure 1, 12 26, 28 29 2, 8, 21, 23 26 3, 9, 13, 14 4, 5, 6, 7, 16 10, 11, 20 15, 23 16, 17, 19 17, 18, 20
  33. 33. #RSAC @sounilyu Use Case 30: Reconciling Inventories 33 With modifications from original source: https://www.philvenables.com/post/taking-inventories-to-the-next-level-reconciliation-and-triangulation • Enable inventory reconciliation using a multi-domain approach using the five asset classes of the Cyber Defense Matrix • Drive better data quality by creating “fast lanes” for security approvals if inventories are up- to-date Authorized data sources can only go to approved vendors from approved applications Applications must run on known systems or be contained in authorized container registries All employees must have a direct manager All data associated with Internet facing applications must be classified/ tagged Data owners must formally hold that role and be part of the organization accountable for that data Vendor Inventory Application Inventory Device Inventory Network Inventory Data Catalog User Directory Role Directory
  34. 34. #RSAC @sounilyu “Apply” Slide 34 Map your security organization to the Cyber Defense Matrix Try out the use cases described here, in the previous briefings, and in the Cyber Defense Matrix book Develop a new use case for the Cyber Defense Matrix Share the new use case with the community!
  35. 35. #RSAC @sounilyu Questions? 35 https://cyberdefensematrix.com @sounilyu https://www.slideshare.net/sounilyu/presentations https://www.linkedin.com/in/sounil @cyberdefmatrix

Editor's Notes

  • This will be the third and final installment of the Cyber Defense Matrix (CDM) as a standalone presentation. The previous two occurred in 2016 and 2019, so this would be well placed with 3 years of spacing in between.

    In this last installment, I plan to share more new use cases of the CDM including:

    How threat hunters can methodically gain increasing levels of situational awareness
    How planners can anticipate erosion of controls and budget for training and technology refreshes
    How governance teams can build a metrics and measurements program starting with the CIS Controls Assessment Specification (which is already mapped to the CDM)
    How application security teams can align security functions into the CI/CD pipeline, DevOps, and the Agile methodology
    How practitioners can evaluate how thoroughly they have covered their cloud security needs
    How entrepreneurs and VCs can find new market opportunities and adjacencies to existing products
    How vulnerability management teams can prioritize vulnerabilities better when they have a more complete view in context with other assets and mitigating controls
    How CISOs can develop their security program roadmap
    How the CDM enables a multi-domain approach for inventory and reconciliation
    How CISOs can leverage the CDM in board briefings to convey a complete view of their entire security program in one slide

    I will start the session by giving a quick overview of the CDM, showing how we can do the standard mapping of security vendors to the CDM, quickly point out the 20 other use cases previously shown in the 2016 and 2019 briefings, and then launch into the new use cases that I've described. I'll wrap up by mentioning the Learning Lab if people want to learn more.

×