Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understanding the Cyber Security Vendor Landscape

6,482 views

Published on

We are often inundated with vendors offering their products and services to solve our various information security problems. How can you make sense of the wide range of technologies and ensure that your control gaps are being covered? Where are opportunities for technology disruption? Where are you overly reliant on technology? This is a framework for understanding security technologies so that you can align vendors in the right bucket to ensure that you have the suite of technologies that you need to execute your information security mission.

Published in: Business

Understanding the Cyber Security Vendor Landscape

  1. 1. UNDERSTANDING THE CYBER SECURITY VENDOR LANDSCAPE Sounil Yu May 18, 2015 TLP: WHITE
  2. 2. Disclaimers • The views, opinions, and positions expressed in this presentation are solely my own • It does not necessarily represent the views and opinions of my employer and does not constitute or imply any endorsement or recommendation from my employer All models are wrong, but some are useful -George E. P. Box May 18, 2015 TLP: WHITE 2
  3. 3. The information security industry is full of jargon terms that make it difficult for buyers to understand what exactly we are buying May 18, 2015 TLP: WHITE 3 To accelerate the maturity of our information security practices, we need a common language for the products and services that we buy
  4. 4. Our common language can be bounded by five assets classes and the operational functions in the NIST Cybersecurity Framework May 18, 2015 TLP: WHITE 4 Operational FunctionsAsset Classes DEVICES Workstations, servers, VoIP phones, tablets, IoT, storage, network devices, infrastructure, etc. The software, interactions, and application flows on the devices The connections and traffic flowing among devices and applications The information residing on, traveling through, or processed by the resources above The users of the resources listed above APPS NETWORKS 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DATA PEOPLE IDENTIFY PROTECT DETECT RESPOND RECOVER Inventorying assets, measuring attack surface, baselining normal, risk profiling Preventing or limiting impact, containing, hardening, managing access Discovering events, triggering on anomalies, hunting for intrusions Acting on events, eradicating intrusion footholds, assessing damage, coordinating, reconstructing events forensically Returning to normal operations, restoring services, documenting lessons learned
  5. 5. Matrix of Asset Classes against Operational Functions May 18, 2015 TLP: WHITE 5 Devices Applications Network Data People Degree of Dependence on People, Process, Technology Identify Protect Detect Respond Recover Technology People Process
  6. 6. Left and Right of “Boom” May 18, 2015 TLP: WHITE 6 Identify Protect Detect Respond Recover Pre-Compromise Post-Compromise Technology People Process Devices Applications Network Data People Degree of Dependence on People, Process, Technology
  7. 7. Devices Applications Network Data People Degree of Dependence on People, Process, Technology Identify Protect Detect Respond Recover Technology People Process Enterprise Security Market Segments May 18, 2015 TLP: WHITE 7 IAM Endpoint Visibility and Control / Endpoint Threat Detection & Response Configuration and Systems Management Data Labeling App Sec (SAST, DAST, IAST, RASP), WAFs Phishing Awareness DDoS Mitigation Insider Threat / Behavioral Analytics Web Fraud Detection Network Security (FW, IPS) DRM Data Encryption, DLP IDS Netflow Full PCAP AV, HIPS Deep Web, Brian Krebs, FBI Backup
  8. 8. Threat Actors Vendors / Third Party Customers Employees We care about more than just the assets that are direct owned and controlled by the enterprise May 18, 2015 TLP: WHITE 8 Operational Functions Enterprise DEVICES Workstations, servers, VoIP phones, tablets, IoT, storage, network devices, infrastructure, etc. The software, interactions, and application flows on the devices The connections and traffic flowing among devices and applications The information residing on, traveling through, or processed by the resources above The users of the resources listed above APPS NETWORKS 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DATA PEOPLE IDENTIFY PROTECT DETECT RESPOND RECOVER Inventorying assets, measuring attack surface, baselining normal, risk profiling Preventing or limiting impact, containing, hardening, managing access Discovering events, triggering on anomalies, hunting for intrusions Acting on events, eradicating intrusion footholds, assessing damage, coordinating, reconstructing events forensically Returning to normal operations, restoring services, documenting lessons learned
  9. 9. Threat Actor Assets Threat Intel Intrusion Deception Market Segments – Other Environments May 18, 2015 TLP: WHITE 9 Vendor Assets Cloud Access Security Brokers Vendor Risk Assessments Customer Assets Endpoint Fraud Detection Device Finger- printing Device Finger- printing Employee Assets BYOD MAM BYOD MDM Web Fraud Detection Malware Sandboxes
  10. 10. Asset Classes 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DEVICES Workstations, servers, VoIP phones, tablets, IoT, storage, network devices, infrastructure, etc. The software, interactions, and application flows on the devices The connections and traffic flowing among devices and applications The information residing on, traveling through, or processed by the resources above The users of the resources listed above APPS NETWORKS DATA PEOPLE Security Technologies Mapped by Asset Class May 18, 2015 TLP: WHITE 10
  11. 11. Operational Functions IDENTIFY PROTECT DETECT RESPOND RECOVER Inventorying assets, measuring attack surface, baselining normal, risk profiling Preventing or limiting impact, containing, hardening, managing access Discovering events, triggering on anomalies, hunting for intrusions Acting on events, eradicating intrusion footholds, assessing damage, coordinating, reconstructing events forensically Returning to normal operations, restoring services, documenting lessons learned Security Technologies Mapped by Operational Functions May 18, 2015 TLP: WHITE 11 MSSPs / IR
  12. 12. Security Technologies by Asset Classes & Operational Functions May 18, 2015 TLP: WHITE 12 Devices Applications Network Data People Degree of Dependence on People, Process, Technology Identify Protect Detect Respond Recover Technology People Process
  13. 13. Use Case 1: Understanding how products in one area support the capabilities of another area May 18, 2015 TLP: WHITE 13 Threat Actor Assets Enterprise Assets Threat intelligence providers fall into this category… Threat Intel … and threat integration platforms that consume, integrate, and action on threat intelligence through other products fall into these categories
  14. 14. O O O O O O O O O O O O O O O O O O O O O O O O O Use Case 2: Understanding how to balance your portfolio without breaking the bank (a.k.a. Anti-Cyber Bingo Card) May 18, 2015 TLP: WHITE 14 Devices Applications Network Data People Degree of Dependence on People, Process, Technology Identify Protect Detect Respond Recover Technology People Process
  15. 15. Use Case 3: Understanding the maturity of your program May 18, 2015 TLP: WHITE 15 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 Devices Applications Network Data People Degree of Dependence on People, Process, Technology Identify Protect Detect Respond Recover Technology People Process
  16. 16. Use Case 4: Disintermediation of Components for Easier Orchestration May 18, 2015 TLP: WHITE 16 010010101001011010 010100100110111010010010100010110110111 0010100111010101101010100 01011010101010010100101010100100011101 000101101100100100110010110010 010010101011010 0100101001011011010100101110 010101001011010 100010110110111 010101101010100 010100100011101 100110010110010 010010101011010 Common Message Fabric Vendor Application Protection 1011010100101110 Enterprise Network Detection Enterprise Network Response Customer Device Protection Threat Actor People Identification Enterprise Network Identification Customer Device Identification
  17. 17. Devices Applications Network Data People Degree of Dependence on People, Process, Technology Identify Protect Detect Respond Recover Technology People Process Use Case 5: Differentiating between a platform and a product May 18, 2015 TLP: WHITE 17 Product Platform What makes a technology a “platform”? 1. Enables enterprises to operate as mechanics and not just chauffeurs 2. Exposes all its functions through APIs for easier integration with other technologies and capabilities 3. Leverages data exchange standards that enable interchangeable components
  18. 18. Use Case 6: Identifying gaps in technology investment / portfolios or an overreliance on technology May 18, 2015 TLP: WHITE 18 Enterprise Assets Technology People Process Degree of Dependence on People, Process, Technology IAM Endpoint Visibility and Control / Endpoint Threat Detection & Response Configuration and Systems Management Data Labeling App Sec (SAST, DAST, IAST, RASP), WAFs Phishing Awareness DDoS Mitigation Insider Threat / Behavioral Analytics Web Fraud Detection Network Security (FW, IPS) DRM Data Encryption, DLP IDS Netflow Full PCAP AV, HIPS Deep Web Brian Krebs, FBI Backup
  19. 19. Use Case 7: “Effective Half Life” of Capabilities, Skills, and Processes May 18, 2015 TLP: WHITE 19 Devices Applications Network Data People Degree of Dependence on People, Process, Technology Identify Protect Detect Respond Recover Technology People Process 5 3 3 5 5 4 5 2 5 5 1 2 2 5 5 3 5 3 5 5 2 3 3 4 5 3 4 2 3 4 4 5 5 4 4 3 2 1 3 1 2 3 3 2 5 1 3 2 3 2 3 4 5 4 5 3 3 3 4 3 4 5 1 5 4 4 3 5 3 5 3 5 2 5 3
  20. 20. Model Shortfalls: Where is analytics? GRC? Orchestration? This framework supports the higher level functions of orchestration, analytics, and governance/risk/compliance, but they are represented on a different dimension GRC Analytics Orchestration May 18, 2015 TLP: WHITE 20
  21. 21. Comparison of Models: Gartner’s Five Styles of Advanced Threat Defense May 18, 2015 21 Source: Gartner Time WheretoLook Real Time/ Near Real Time Post Compromise (Days/Weeks) Network Payload Endpoint Network Traffic Analysis Network Forensics Payload Analysis Endpoint Behavior Analysis Endpoint Forensics Style 2Style 1 Style 5Style 4 Style 3 Threat Actor Assets Enterprise Assets Style 4 Style 1 Style 3 Style 5 Style 2 TLP: WHITE
  22. 22. Comparison of Models: Forrester’s Targeted-Attack Hierarchy of Needs May 18, 2015 TLP: WHITE 22 Detection and response Prevention An integrated portfolio that enables orchestration A focus on the fundamentals A dedication to recruiting and retaining staff An actual security strategy Source: Forrester Research, Inc., http://blogs.forrester.com/rick_holland/14-05-20-introducing_forresters_targeted_attack_hierarchy_of_needs

×